MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24277b308f5f5d2154a648564965df5153921a2b66e3766223732f7f9cfeaca8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 24277b308f5f5d2154a648564965df5153921a2b66e3766223732f7f9cfeaca8
SHA3-384 hash: 6c155093ee0f66c89a69e4ff2f533f91decbfe70b622dd9d9c6668e202fe24f149f189dbcdce086989447d378213b797
SHA1 hash: 01a144e221c3a67b4bdc2ad3662a682b66d4dd4a
MD5 hash: 1031f7f6ee923fa952dbe18807039570
humanhash: two-foxtrot-idaho-iowa
File name:WEXTRACT.EXE
Download: download sample
Signature DCRat
Create hunting rule
File size:7'566'336 bytes
First seen:2023-02-01 20:06:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 72 x LummaStealer, 62 x Rhadamanthys)
ssdeep 196608:pbZpm896G7CCcWhF4Ps71GyFoQRC79BHDTZ:plp+Ps7wyF3gBBnZ
TLSH T1A276330176D42A59E4E46278C6D6C3BD91207ABB9FF54CFBB328B5FA28731D4652020F
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10523/12/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f4ccccd5e8ccccf0 (1 x DCRat)
Reporter adm1n_usa32
Tags:64 DCRat exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
196
Origin country :
US US
Vendor Threat Intelligence
Detection:
DCRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/359249/
Detection(s):
Win.Trojan.Uztuby-9855059-0
Create hunting rule

Win.Ransomware.Clinix-9868408-0
Create hunting rule

Win.Packed.Msilmamut-9950860-0
Create hunting rule

Win.Packed.Basic-9952747-0
Create hunting rule

Win.Packed.Uztuby-9963900-0
Create hunting rule

Win.Packed.Uztuby-9969968-0
Create hunting rule

Win.Malware.Uztuby-9972880-0
Create hunting rule

Win.Trojan.DarkKomet-9976180-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a file in the Program Files subdirectories
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
DNS request
Running batch commands
Setting a single autorun event
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/64621/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack.dll dcrat packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/63dac6671c9cbf7d6255324f/reports/d4934855-5dff-4739-9747-6638f63d7764/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b333f415-56f8-408e-a3d9-f46ef19efe57
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1163636
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Creates processes via WMI
Drops executable to a common third party application directory
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 796404 Sample: WEXTRACT.EXE.exe Startdate: 01/02/2023 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic 2->51 53 Antivirus detection for URL or domain 2->53 55 Antivirus detection for dropped file 2->55 57 10 other signatures 2->57 9 WEXTRACT.EXE.exe 1 4 2->9         started        12 rundll32.exe 2->12         started        14 schtasks.exe 2->14         started        16 21 other processes 2->16 process3 file4 37 C:\Users\user\AppData\Local\Temp\...\bb.exe, PE32 9->37 dropped 39 C:\Users\user\AppData\Local\...\BOOSTE~1.EXE, PE32 9->39 dropped 18 bb.exe 3 6 9->18         started        21 BOOSTE~1.EXE 15 4 9->21         started        process5 dnsIp6 35 C:\Webwinruntime\Mshyperweb.exe, PE32 18->35 dropped 25 wscript.exe 1 18->25         started        49 pastebin.com 172.67.34.170, 443, 49702, 49703 CLOUDFLARENETUS United States 21->49 59 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->59 61 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 21->61 file7 signatures8 process9 process10 27 cmd.exe 1 25->27         started        process11 29 Mshyperweb.exe 3 67 27->29         started        33 conhost.exe 27->33         started        file12 41 C:\Windows\Prefetch\winlogon.exe, PE32 29->41 dropped 43 C:\Windows\Prefetch\RCX4D26.tmp, PE32 29->43 dropped 45 C:\Windows\Prefetch\RCX4C2B.tmp, PE32 29->45 dropped 47 46 other malicious files 29->47 dropped 63 Creates processes via WMI 29->63 65 Drops PE files with benign system names 29->65 67 Drops executable to a common third party application directory 29->67 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/24277b308f5f5d2154a648564965df5153921a2b66e3766223732f7f9cfeaca8/
Threat name:
Win64.Trojan.Runner
Create hunting rule
Status:
Malicious
First seen:
2023-01-26 19:32:14 UTC
File Type:
PE+ (Exe)
Extracted files:
56
AV detection:
24 of 39 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eqtxwmepl5oscvfgjbleszo7kfjzegrlm3rxmyrdomxx7hh6vsua._file
Verdict:
malicious
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat discovery evasion infostealer persistence rat trojan
Link:
https://tria.ge/reports/230201-yvzbxadf2t/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Modifies registry class
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Modifies boot configuration data using bcdedit
Checks computer location settings
Loads dropped DLL
Disables Task Manager via registry modification
Executes dropped EXE
DCRat payload
DcRat
Process spawned unexpected child process
Unpacked files
SH256 hash:
24277b308f5f5d2154a648564965df5153921a2b66e3766223732f7f9cfeaca8
MD5 hash:
1031f7f6ee923fa952dbe18807039570
SHA1 hash:
01a144e221c3a67b4bdc2ad3662a682b66d4dd4a
Link:
https://www.unpac.me/results/cf8f518c-355e-4e1a-b760-98e0c86066d3/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/24277b308f5f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/24277b308f5f5d2154a648564965df5153921a2b66e3766223732f7f9cfeaca8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/359249/

Comments