MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2aecab4d8aabdedc75c03cfc858047dea40c2022430a282dac70b0b6a1d67947. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 11


Intelligence 11 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2aecab4d8aabdedc75c03cfc858047dea40c2022430a282dac70b0b6a1d67947
SHA3-384 hash: cca6bde33c512246598d80309723ba8f195a3af29d473cad691e6f0e1b0d98efaaa673b80d555c53261cb5ade946b471
SHA1 hash: a429a9cbe3ca8b17e5872245392ee00a58e87a7f
MD5 hash: 0bdd578b152ee7bf861dad905458d0c3
humanhash: alaska-utah-undress-moon
File name:0bdd578b152ee7bf861dad905458d0c3.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:8'564'649 bytes
First seen:2023-08-17 18:12:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0b5552dccd9d0a834cea55c0c8fc05be (16 x LunaLogger, 16 x BlankGrabber, 8 x CrealStealer)
ssdeep 196608:RdQsvC+bT/9bvLz3S1bA322rl9OqUONuYPdT:RvpbTlj3S1bO22jOqUONuwT
Threatray 371 similar samples on MalwareBazaar
TLSH T14C863399A3C10EE5E477C53AC2D28909D9B0711B43A4DECF03A0A6B61F17BD48D7BB52
TrID 90.1% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
4.8% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.9% (.EXE) OS/2 Executable (generic) (2029/13)
0.9% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter abuse_ch
Tags:DCRat exe RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
281
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0bdd578b152ee7bf861dad905458d0c3.exe
Verdict:
Suspicious activity
Analysis date:
2023-08-17 19:21:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c291c34e-32a7-470f-b150-735bddb198ab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/443268/
Detection(s):
SecuriteInfo.com.HEUR.Trojan-PSW.Python.Agent.gen.8588.26986.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Сreating synchronization primitives
Creating a file
Running batch commands
Creating a process with a hidden window
DNS request
Launching a process
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Creating a window
Searching for synchronization primitives
Sending an HTTP GET request
Unauthorized injection to a recently created process
Adding an exclusion to Microsoft Defender
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/103061/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/2aecab4d8aabdedc75c03cfc858047dea40c2022430a282dac70b0b6a1d67947
Result
Verdict:
MALICIOUS
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/9da45c5e-638e-44a5-b018-b291e6b9beef
Result
Threat name:
Blank Grabber
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1292987
Signature
Adds a directory exclusion to Windows Defender
DLL side loading technique detected
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Removes signatures from Windows Defender
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Blank Grabber
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1292987 Sample: wzEQmMNRNT.exe Startdate: 17/08/2023 Architecture: WINDOWS Score: 100 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 4 other signatures 2->74 8 wzEQmMNRNT.exe 62 2->8         started        process3 file4 46 C:\Users\user\AppData\...\VCRUNTIME140.dll, PE32+ 8->46 dropped 48 C:\Users\user\AppData\Local\...\rarreg.key, ASCII 8->48 dropped 50 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 8->50 dropped 52 55 other files (none is malicious) 8->52 dropped 76 May check the online IP address of the machine 8->76 78 Modifies Windows Defender protection settings 8->78 80 Adds a directory exclusion to Windows Defender 8->80 82 Removes signatures from Windows Defender 8->82 12 wzEQmMNRNT.exe 1 8->12         started        signatures5 process6 dnsIp7 56 ip-api.com 208.95.112.1, 49716, 80 TUT-ASUS United States 12->56 58 blank-swx2k.in 12->58 54 C:\Users\user\AppData\Local\Temp\bound.exe, PE32 12->54 dropped 84 Modifies Windows Defender protection settings 12->84 86 Adds a directory exclusion to Windows Defender 12->86 88 Removes signatures from Windows Defender 12->88 17 cmd.exe 12->17         started        20 cmd.exe 1 12->20         started        22 cmd.exe 12->22         started        24 5 other processes 12->24 file8 signatures9 process10 signatures11 64 Modifies Windows Defender protection settings 17->64 66 Adds a directory exclusion to Windows Defender 17->66 26 powershell.exe 19 17->26         started        28 conhost.exe 17->28         started        30 bound.exe 2 20->30         started        34 conhost.exe 20->34         started        36 WMIC.exe 22->36         started        38 conhost.exe 22->38         started        40 powershell.exe 20 24->40         started        42 mshta.exe 18 24->42         started        44 6 other processes 24->44 process12 dnsIp13 60 45.141.215.252, 53631 SPECTRAIPSpectraIPBVNL Netherlands 30->60 62 127.0.0.1 unknown unknown 30->62 90 Multi AV Scanner detection for dropped file 30->90 92 DLL side loading technique detected 36->92 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2aecab4d8aabdedc75c03cfc858047dea40c2022430a282dac70b0b6a1d67947/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-08-13 13:32:18 UTC
File Type:
PE+ (Exe)
Extracted files:
424
AV detection:
15 of 38 (39.47%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=flwkwtmkvppny5oaht6ilach32sayibcimfcqlnmocylniowpfdq._file
Verdict:
malicious
Similar samples:
02c46e5cdd2a1760d75fa958986c30d19ccef6514c7460038a1c0691ab709bd5
DCRat
5d17781561881f8c412498515db843561d6a8971009431f390de99b3a46ec4bc
DCRat
94d64d00b0aa175cc28ecac33d829a33411cd0cb549018852c0ae82d592f5ec6
DCRat
9d85f7e7bbce1fc023353548d2bd1a54223370ccc64f073bcd473545aa36f6bc
DCRat
ad829cd3745ba3d5e2268b4db60304039e3b721c926359eba14efd7a1bee3d46
DCRat
b692e438cef89dc57d7cf774a1eaa97ff88fd1e9c287546ad685bb9b3e9a6bac
DCRat
c072f81e922796d43b29a7f7b59b7c6f3a4ff70a05ea1f5b6523ee1b809fabf3
DCRat
d2803b97a3cdb1787df9e3bd60818968fecb86bf7eb48bfa51e0757f055b95e4
DCRat
f85f4dbc85dd285bcfe990522565ca697b13f6aa865e3f64e730964d78ca775f
DCRat
+ 361 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
upx
Link:
https://tria.ge/reports/230817-wtrvbsbg67/
Behaviour
Enumerates processes with tasklist
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
UPX packed file
Unpacked files
SH256 hash:
2aecab4d8aabdedc75c03cfc858047dea40c2022430a282dac70b0b6a1d67947
MD5 hash:
0bdd578b152ee7bf861dad905458d0c3
SHA1 hash:
a429a9cbe3ca8b17e5872245392ee00a58e87a7f
Link:
https://www.unpac.me/results/92331c2a-6362-436b-8a8c-5d7fe83cef78/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2aecab4d8aab/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2aecab4d8aabdedc75c03cfc858047dea40c2022430a282dac70b0b6a1d67947

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/443268/

Comments