MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2cf79d95f091de4c39f2e9e54d261034dc24abf9959634676cf61c16ce100982. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2cf79d95f091de4c39f2e9e54d261034dc24abf9959634676cf61c16ce100982
SHA3-384 hash: 486902e9d3bfcdccb385cb987081c2a36fbda4418c19d3ec68bfede4710f2366808c71058108767dfee25be8ab65c32a
SHA1 hash: 6226241f0151fe2627b37a49b4fe119276bf49d7
MD5 hash: b0f507df0c08ba62c292c295bb183b5c
humanhash: cardinal-mexico-wyoming-sierra
File name:2CF79D95F091DE4C39F2E9E54D261034DC24ABF995963.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:2'006'512 bytes
First seen:2022-01-03 13:16:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 49152:RvLwHJNvs2+LwwFrKm9t4kY8liexChxY2:lwpN0dUwFrt9t46linY2
Threatray 534 similar samples on MalwareBazaar
TLSH T1C495E15CAE9FCA03FFF00D348C96C81896B6BD99602EC61A1B5CB56BB472BF324541C5
File icon (PE):PE icon
dhash icon 90b88896b2ea6a6a (1 x DCRat)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://62.109.17.4/system/recordlimitgame/Prefsearcherdata/script/bintracemessageServer/Python/Processapiservercdn.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://62.109.17.4/system/recordlimitgame/Prefsearcherdata/script/bintracemessageServer/Python/Processapiservercdn.php https://threatfox.abuse.ch/ioc/290703/

Intelligence

File Origin
# of uploads :
1
# of downloads :
278
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Keygen.exe
Verdict:
Malicious activity
Analysis date:
2021-10-08 21:09:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0c2ff12b-86b0-4b9b-8927-178a5cf87c40

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DCRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/217159/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.935-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated overlay packed
Link:
https://www.filescan.io/uploads/61d2f75192bdc4b4077b7932/reports/3328207a-d327-4f84-b129-c6d86e62220c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/273eb77f-e096-4ce0-a17d-e86d89d7c9e4
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/914880
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates processes via WMI
Drops executable to a common third party application directory
Drops PE files with benign system names
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 547358 Sample: 2CF79D95F091DE4C39F2E9E54D2... Startdate: 03/01/2022 Architecture: WINDOWS Score: 100 56 Antivirus detection for dropped file 2->56 58 Antivirus / Scanner detection for submitted sample 2->58 60 Multi AV Scanner detection for dropped file 2->60 62 15 other signatures 2->62 7 2CF79D95F091DE4C39F2E9E54D261034DC24ABF995963.exe 4 2->7         started        11 csrss.exe 2->11         started        13 smss.exe 2->13         started        15 7 other processes 2->15 process3 file4 48 2CF79D95F091DE4C39...24ABF995963.exe.log, ASCII 7->48 dropped 68 Adds a directory exclusion to Windows Defender 7->68 70 Creates processes via WMI 7->70 72 Drops PE files with benign system names 7->72 17 2CF79D95F091DE4C39F2E9E54D261034DC24ABF995963.exe 10 26 7->17         started        21 powershell.exe 22 7->21         started        23 2CF79D95F091DE4C39F2E9E54D261034DC24ABF995963.exe 7->23         started        25 2CF79D95F091DE4C39F2E9E54D261034DC24ABF995963.exe 7->25         started        74 Antivirus detection for dropped file 11->74 76 Multi AV Scanner detection for dropped file 11->76 78 Machine Learning detection for dropped file 11->78 80 Injects a PE file into a foreign processes 13->80 27 powershell.exe 13->27         started        29 2CF79D95F091DE4C39F2E9E54D261034DC24ABF995963.exe 15->29         started        32 powershell.exe 15->32         started        34 2CF79D95F091DE4C39F2E9E54D261034DC24ABF995963.exe 15->34         started        signatures5 process6 dnsIp7 40 C:\Windows\...\backgroundTaskHost.exe, PE32 17->40 dropped 42 C:\Windows\SysWOW64\...\dllhost.exe, PE32 17->42 dropped 44 C:\Windows\...\BackgroundTransferHost.exe, PE32 17->44 dropped 46 9 other malicious files 17->46 dropped 64 Drops executable to a common third party application directory 17->64 36 conhost.exe 21->36         started        50 ip-api.com 29->50 52 ip-api.com 208.95.112.1, 49794, 80 TUT-ASUS United States 29->52 54 3 other IPs or domains 29->54 38 conhost.exe 32->38         started        file8 66 May check the online IP address of the machine 50->66 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2cf79d95f091de4c39f2e9e54d261034dc24abf9959634676cf61c16ce100982/
Threat name:
ByteCode-MSIL.Backdoor.LightStone
Create hunting rule
Status:
Malicious
First seen:
2021-10-09 08:09:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
100
AV detection:
22 of 43 (51.16%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ft3z3fpqshpeyops5hsu2jqqgtocjk7zswldiz3m6yobntqqbgba._file
Verdict:
malicious
Similar samples:
488aeadb7b5bfdcf2b7bf7f25518f6ccaf136e90bf81409838d7f8051938d076
DCRat
49cfe3e8ec06fb6fc1616f2113eec3aed85ec58a24798690a493a23d0a85f7b0
DCRat
68f6d55f31e87cebb1b5c9ea96e9c770464f8d6a937dda00b5a7139f79240d7c
DCRat
7023f35807e56aaf88350536ca380ac137d810958d6307e29454bf5336021a78
DCRat
7b0f445718f91d7d32669089ecf436c8cfc3639f756ef1d91f8ba5aa90c5145a
DCRat
8ce5aafe47667edfe0b9c5ca962481fa5c1b7190278eee1dd06e4aa0c30ea5ab
DCRat
+ 524 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/220103-qjc1jahgdq/
Behaviour
Creates scheduled task(s)
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Process spawned unexpected child process
Unpacked files
SH256 hash:
0c0b0ad2e0f4942f9254b76417110be6e36a6449b0f6b4d1928fd853e7bfd52e
MD5 hash:
8d19c27a1a737dabf13fe6871637cd6d
SHA1 hash:
de072b5d71ac5f844de8b12aedc839ed19ed3898
Link:
https://www.unpac.me/results/b16492b5-8f8f-4ddd-96f9-11fae8588195/
SH256 hash:
fe8637d821a39a8b74abce7e043007d38cb9c5cfcb7098af9846cfd98185ac03
MD5 hash:
c380b6831f456ac5cac08c78c0e4dada
SHA1 hash:
3e241a0b9d96c1dfbadd7ee1a8c5ee6d74eba11c
Link:
https://www.unpac.me/results/b16492b5-8f8f-4ddd-96f9-11fae8588195/
SH256 hash:
ea323f627a209745570b704f8d6bbaf46fed48f1be6f54ed17b823efbcc12743
MD5 hash:
f32c7e6a51869e8a9415889c2e493209
SHA1 hash:
34d2fb550cecf36fcbf1e3ef3440029858e4c0e2
Link:
https://www.unpac.me/results/b16492b5-8f8f-4ddd-96f9-11fae8588195/
SH256 hash:
96ad55edfaf7196d8aec86cfa2cda3d48995db3894a50f249b904a14173683b0
MD5 hash:
071bf43944919a286e38dc11eff9b9a6
SHA1 hash:
78d17d2a41b228f49f4cc7b1949e19a7e8c36889
Link:
https://www.unpac.me/results/b16492b5-8f8f-4ddd-96f9-11fae8588195/
SH256 hash:
2cf79d95f091de4c39f2e9e54d261034dc24abf9959634676cf61c16ce100982
MD5 hash:
b0f507df0c08ba62c292c295bb183b5c
SHA1 hash:
6226241f0151fe2627b37a49b4fe119276bf49d7
Link:
https://www.unpac.me/results/b16492b5-8f8f-4ddd-96f9-11fae8588195/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/2cf79d95f091de4c39f2e9e54d261034dc24abf9959634676cf61c16ce100982

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_KB_CERT_1f3216f428f850be2c66caa056f6d821
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/217159/

Comments