MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 23c9fe013be7bed47c421bb84e272c492787dc16d773596263d4f25f638d8e6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DCRat

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	23c9fe013be7bed47c421bb84e272c492787dc16d773596263d4f25f638d8e6f
SHA3-384 hash:	406b726b2c11a2e7e078356e33a64f2bbbf811725c34fd59d079f610dc666103b2b1cd03108dcbeb117cc52a14cbbb6c
SHA1 hash:	6313c4d71f8f32c3a9a09aec53ad077450e93c6d
MD5 hash:	4875520c9ca5448cbb60c1d6a602e5ef
humanhash:	oklahoma-monkey-william-beryllium
File name:	HEUR-Backdoor.MSIL.LightStone.gen-23c9fe013be.exe
Download:	download sample
Signature	DCRat Create hunting rule
File size:	1'105'408 bytes
First seen:	2022-12-30 17:10:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'656 x Formbook, 12'248 x SnakeKeylogger)
ssdeep	24576:hJM+dq9GY9XzAnEUlZs7kQOg7tUhyy3F+4:/58URq5szc
Threatray	3'180 similar samples on MalwareBazaar
TLSH	T14235F5027688DD02D0A91637C9EFC42807B8FD436B62DA1B7E9F339C64563A75D0E5CA
TrID	47.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 20.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 8.4% (.SCR) Windows screen saver (13097/50/3) 6.8% (.EXE) Win64 Executable (generic) (10523/12/4) 4.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Reporter	abuse_ch
Tags:	DCRat exe

abuse_ch

DCRat C2:
http://a0562386.xsph.ru/externalVideoauth.php

Intelligence

File Origin

# of uploads :

# of downloads :

178

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

dcrat

ID:

File name:

HEUR-Backdoor.MSIL.LightStone.gen-23c9fe013be.exe

Verdict:

Malicious activity

Analysis date:

2022-12-30 17:11:47 UTC

Tags:

trojan rat backdoor dcrat

Link:

https://app.any.run/tasks/49571de5-69a3-45c2-bb3c-bffa824b226f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

Creating a file

Launching a process

Creating a file in the system32 subdirectories

Creating a file in the Program Files subdirectories

Creating a process from a recently created file

Creating a process with a hidden window

DNS request

Connecting to a non-recommended domain

Sending an HTTP GET request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug anti-vm cmd.exe dcrat explorer.exe hacktool obfuscated packed stealer

Link:

https://www.filescan.io/uploads/63af1ba7a70bef46551c3df6/reports/1a875ea3-4294-4c2f-b0a3-2a4f8845d6f3/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/abb4f94a-6f99-4828-8389-a115529ccac4

Result

Threat name:

DCRat

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1143270

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Drops executables to the windows directory (C:\Windows) and starts them

Drops PE files with benign system names

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Sigma detected: Schedule system process

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected DCRat

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/23c9fe013be7bed47c421bb84e272c492787dc16d773596263d4f25f638d8e6f/

Threat name:

ByteCode-MSIL.Backdoor.LightStone

Status:

Malicious

First seen:

2021-07-16 20:09:26 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=epe74aj3467ni7ccdo4e4jzmjetypxaw25zvsytd2tzf6y4nrzxq._file

Verdict:

malicious

DCRat

346b769168c5fc8865428098350048f6e604a7a7bd5846bf03d99e4244663706

DCRat

58a7160bc9c6b737602ae6560a308cc5a824807f6ba4fb61efc5d5bb0c41ff91

DCRat

629c671a92b4a3af617c2d8fe133430ab77aac0acb07914f047f8868eb9ed92a

DCRat

8a5bec4293f13f84bbbcf619299eff545fe08f3276d9530381abd41d31a60300

DCRat

bb55fcf1625411295d87059f3116db4109ef0783504fbce9c5eca05ef72d45e0

DCRat

d1cdb6b3145e1b6d65ef1d8f5864484678e0436b34d8c8e674471332c11b099e

DCRat

d700e68d1c067c7bb297805d8429aa95cde9b6ec484c490ebdb01fc9689b1a31

DCRat

+ 3'170 additional samples on MalwareBazaar

Result

Malware family:

dcrat

Score:

10/10

Tags:

family:dcrat infostealer rat

Link:

https://tria.ge/reports/221230-vp9nxabc6w/

Behaviour

Creates scheduled task(s)

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Drops file in Windows directory

Drops file in System32 directory

Checks computer location settings

Executes dropped EXE

DCRat payload

DcRat

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/1b28b605-cde6-4ea7-b879-f0498b38be51

Unpacked files

SH256 hash:

2ccddb6d5756aaf811e5af7bd88a440d9e996840de2f0675faed25370af7f8b0

MD5 hash:

eeab72efbb3892dd1b133b9f9fbf47d2

SHA1 hash:

3f851df0b4eda9af04da6195536a517b19d66e4d

Link:

https://www.unpac.me/results/730cc0f4-533a-4798-a9d9-e5d70ebff4b0/

SH256 hash:

23c9fe013be7bed47c421bb84e272c492787dc16d773596263d4f25f638d8e6f

MD5 hash:

4875520c9ca5448cbb60c1d6a602e5ef

SHA1 hash:

6313c4d71f8f32c3a9a09aec53ad077450e93c6d

Link:

https://www.unpac.me/results/730cc0f4-533a-4798-a9d9-e5d70ebff4b0/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/23c9fe013be7/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.50

Link:

https://yomi.yoroi.company/submissions/23c9fe013be7bed47c421bb84e272c492787dc16d773596263d4f25f638d8e6f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample