MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f2c235e93529aff918ec8634035b3069992ebb16ef8042903edd07b0a21db5b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 7


Intelligence 7 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1f2c235e93529aff918ec8634035b3069992ebb16ef8042903edd07b0a21db5b
SHA3-384 hash: 4df8beac9de89de90e060ab0e7a02ede53599c705e37887b3c03c47cffcd86eb98754b2304a08c85b9b4349815db1d4c
SHA1 hash: f99c489b40cc8f558e7bc13222b60b84823d7fa8
MD5 hash: 2248fa599635664dad22d456b4946073
humanhash: vegan-lactose-vegan-video
File name:2248FA599635664DAD22D456B4946073.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'339'904 bytes
First seen:2021-07-16 20:30:59 UTC
Last seen:2021-07-16 21:40:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2e5467cba76f44a088d39f78c5e807b6 (131 x DCRat, 112 x njrat, 79 x RedLineStealer)
ssdeep 24576:AvV7bAL15hUCkHwBf0vYVuiLhNC9+wxPUXNTJX2l8Ss8sY5DFY7mOWIgXkSz0:AvFO19Bf0IJN4+IMXNd2laMDS6kSz
Threatray 49 similar samples on MalwareBazaar
TLSH T10E55332308095690FCC1A4F6CF3F2154EA711A664F7435F0989B2F2A51689BFD53BDB8
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://62.109.4.26/ProcessprocessorAuth.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://62.109.4.26/ProcessprocessorAuth.php https://threatfox.abuse.ch/ioc/160834/

Intelligence

File Origin
# of uploads :
2
# of downloads :
174
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2248FA599635664DAD22D456B4946073.exe
Verdict:
Malicious activity
Analysis date:
2021-07-16 20:32:39 UTC
Tags:
trojan rat backdoor dcrat evasion
Link:
https://app.any.run/tasks/ca5b2f86-8c80-42df-96e2-99f60f9a2346

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172269/
Detection(s):
PUA.Win.Packer.EnigmaProtector-19
Create hunting rule

PUA.Win.Packer.EnigmaProtector-1
Create hunting rule

PUA.Win.Packer.EnigmaProtector-9852682-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e637959c-b66b-43cf-b2a9-4bff35d4dcac
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/817710
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Detected unpacking (changes PE section rights)
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Schedule system process
Sigma detected: System File Execution Location Anomaly
Tries to evade analysis by execution special instruction which cause usermode exception
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 450121 Sample: 108v69PzkU.exe Startdate: 16/07/2021 Architecture: WINDOWS Score: 100 88 Found malware configuration 2->88 90 Multi AV Scanner detection for dropped file 2->90 92 Multi AV Scanner detection for submitted file 2->92 94 12 other signatures 2->94 9 108v69PzkU.exe 4 16 2->9         started        13 csrss.exe 3 2->13         started        15 sihost.exe 2->15         started        17 4 other processes 2->17 process3 file4 72 C:\Windows\SysWOW64\...\RuntimeBroker.exe, PE32 9->72 dropped 74 C:\Windows\Setup\State\csrss.exe, PE32 9->74 dropped 76 C:\Program Files (x86)\...\nlPxbanYVzYhbq.exe, PE32 9->76 dropped 78 4 other malicious files 9->78 dropped 102 Detected unpacking (changes PE section rights) 9->102 104 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 9->104 106 Uses schtasks.exe or at.exe to add and modify task schedules 9->106 116 3 other signatures 9->116 19 cmd.exe 1 9->19         started        22 schtasks.exe 1 9->22         started        24 schtasks.exe 1 9->24         started        26 schtasks.exe 1 9->26         started        108 Multi AV Scanner detection for dropped file 13->108 110 Machine Learning detection for dropped file 13->110 112 Tries to evade analysis by execution special instruction which cause usermode exception 13->112 114 Hides threads from debuggers 15->114 signatures5 process6 signatures7 96 Uses ping.exe to sleep 19->96 98 Uses ping.exe to check the status of other devices and networks 19->98 28 108v69PzkU.exe 20 19->28         started        32 conhost.exe 19->32         started        34 PING.EXE 1 19->34         started        36 chcp.com 1 19->36         started        38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        42 conhost.exe 26->42         started        process8 file9 80 C:\Users\Default\Desktop\sihost.exe, PE32 28->80 dropped 82 C:\ProgramData\USOShared\Logs\WmiPrvSE.exe, PE32 28->82 dropped 84 C:\ProgramData\Microsoft Help\smss.exe, PE32 28->84 dropped 86 8 other malicious files 28->86 dropped 120 Hides threads from debuggers 28->120 122 Drops executable to a common third party application directory 28->122 124 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->124 44 cmd.exe 28->44         started        47 schtasks.exe 28->47         started        49 schtasks.exe 28->49         started        53 3 other processes 28->53 51 conhost.exe 38->51         started        signatures10 process11 signatures12 118 Uses ping.exe to sleep 44->118 55 smss.exe 44->55         started        58 conhost.exe 44->58         started        60 chcp.com 44->60         started        62 PING.EXE 44->62         started        64 conhost.exe 47->64         started        66 conhost.exe 49->66         started        68 conhost.exe 53->68         started        70 conhost.exe 53->70         started        process13 signatures14 100 Hides threads from debuggers 55->100
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1f2c235e93529aff918ec8634035b3069992ebb16ef8042903edd07b0a21db5b/
Threat name:
Win32.Packed.EnigmaProtector
Create hunting rule
Status:
Malicious
First seen:
2021-07-14 16:20:48 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=d4wcgxutkknp7emozbruannta2mzf25rn34aikid5xihwcrb3nnq._file
Verdict:
suspicious
Similar samples:
106c12a3e09c4585808382c93be13f5b60f7cd86e5a28d638d9de5f6662f3609
DCRat
11a153c8afaa36b8af99ceb85f50b7b923ddacb921dfa9888e0c49d795933075
DCRat
1c22fc802845f881de088ba734ea7d78e0434451a08515875b6d4b2a57f4e90e
DCRat
25a5d91f4c867eb1436fdba263123537b96a582fd0f80dccf96537198678925e
DCRat
43fc7007823fa8f0e718a782ba2d85a5e63eb77a8efebc223e72d5671465e44f
DCRat
5f3d5f1a734020dabc57565c29f60194eb2a0fd1eba8fd7a041c6329d5803f78
DCRat
9a080e918c88adb048ffca38c0604318eee80e19be5a578186a63cdd64d45a41
DCRat
bb13cf7f4d7f5db58730a4dd948093ab12ee0f65c2393784e43143913d51130b
DCRat
bd15b8dc3c9eeddcc7e33877876fb0d3856495b473df950f50bec4701db73d5c
DCRat
+ 39 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/210716-7aexedm9s2/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
4fcd0dd095f2bcaa99de43086197beadeba84c83b6b9b5a5b7427be28bd6f888
MD5 hash:
77963344493641280745c805dc9a1d7e
SHA1 hash:
38a76e9b063c7f5d5a6118084eb3ec146b408419
Link:
https://www.unpac.me/results/23b9546e-5e1b-42ba-a228-45a8812ba95c/
SH256 hash:
1f2c235e93529aff918ec8634035b3069992ebb16ef8042903edd07b0a21db5b
MD5 hash:
2248fa599635664dad22d456b4946073
SHA1 hash:
f99c489b40cc8f558e7bc13222b60b84823d7fa8
Link:
https://www.unpac.me/results/23b9546e-5e1b-42ba-a228-45a8812ba95c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1f2c235e93529aff918ec8634035b3069992ebb16ef8042903edd07b0a21db5b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:MALWARE_Win_AsyncRAT
Create hunting rule
Author:ditekSHen
Description:Detects AsyncRAT
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_smominru_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.smominru.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172269/

Comments