MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f09f4d2b8e06f116dd784829712dcd3bb9528e580ccf6313e4c99fbb89a7792. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2f09f4d2b8e06f116dd784829712dcd3bb9528e580ccf6313e4c99fbb89a7792
SHA3-384 hash: f588c58086c21dae8b69454a07b4566eed6e1e837173a0a7c69e9fc0959fac5ad8df8b30ef38e40f47ad77c33d79fe77
SHA1 hash: 5302f3a8a266b9405502b2c27a3a9c886bfb9f34
MD5 hash: 1d4131fc3c2658b5a5d6132b8c2be227
humanhash: chicken-early-item-sweet
File name:Exposes.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'754'112 bytes
First seen:2021-09-04 19:51:23 UTC
Last seen:2021-09-04 21:25:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2e5467cba76f44a088d39f78c5e807b6 (131 x DCRat, 112 x njrat, 79 x RedLineStealer)
ssdeep 49152:dS1Mz0A6wz8IVodyVQbWjHcusgQKoBJq:Dv6S84dQbDusg0E
Threatray 190 similar samples on MalwareBazaar
TLSH T1FC85336030FEF9A3F5933C7C13FAE6972030646489D0FFFBAA595407AA96049D5891B2
Reporter Anonymous
Tags:DCRat exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
191
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Exposes.exe
Verdict:
Malicious activity
Analysis date:
2021-09-04 19:52:12 UTC
Tags:
trojan rat backdoor dcrat stealer
Link:
https://app.any.run/tasks/ba0c338a-7de6-4dd8-b672-7776dbd4b5dc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/185350/
Detection(s):
PUA.Win.Packer.EnigmaProtector-9852682-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Creating a file in the Windows subdirectories
Using the Windows Management Instrumentation requests
Launching a process
Creating a file
Creating a file in the Program Files subdirectories
Creating a file in the %temp% directory
Deleting a recently created file
Running batch commands
Creating a process with a hidden window
Sending a UDP request
Creating a process from a recently created file
Connection attempt
Sending an HTTP GET request
Reading critical registry keys
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Enabling autorun by creating a file
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d9e378d9-96b4-4659-be1f-0d83d4090fa5
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/845351
Signature
Creates processes via WMI
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 477782 Sample: Exposes.exe Startdate: 04/09/2021 Architecture: WINDOWS Score: 100 45 Multi AV Scanner detection for dropped file 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Detected unpacking (changes PE section rights) 2->49 51 6 other signatures 2->51 8 Exposes.exe 8 20 2->8         started        12 fontdrvhost.exe 17 13 2->12         started        15 WmiPrvSE.exe 3 2->15         started        17 2 other processes 2->17 process3 dnsIp4 33 C:\Windows\SysWOW64\...\RuntimeBroker.exe, PE32 8->33 dropped 35 C:\Windows\...\ApplicationFrameHost.exe, PE32 8->35 dropped 37 C:\ProgramData\Microsoft\...\fontdrvhost.exe, PE32 8->37 dropped 39 6 other malicious files 8->39 dropped 63 Detected unpacking (changes PE section rights) 8->63 65 Tries to evade analysis by execution special instruction which cause usermode exception 8->65 67 Creates processes via WMI 8->67 19 cmd.exe 1 8->19         started        41 178.250.159.75, 49731, 49732, 49733 THEFIRST-ASRU Russian Federation 12->41 43 192.168.2.1 unknown unknown 12->43 69 Multi AV Scanner detection for dropped file 12->69 71 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->71 73 Tries to detect sandboxes and other dynamic analysis tools (window names) 12->73 77 4 other signatures 12->77 75 Hides threads from debuggers 15->75 file5 signatures6 process7 signatures8 53 Drops executables to the windows directory (C:\Windows) and starts them 19->53 22 RuntimeBroker.exe 19->22         started        25 w32tm.exe 1 19->25         started        27 conhost.exe 19->27         started        29 chcp.com 1 19->29         started        process9 signatures10 55 Multi AV Scanner detection for dropped file 22->55 57 Detected unpacking (changes PE section rights) 22->57 59 Machine Learning detection for dropped file 22->59 61 2 other signatures 22->61 31 w32tm.exe 1 25->31         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2f09f4d2b8e06f116dd784829712dcd3bb9528e580ccf6313e4c99fbb89a7792/
Threat name:
Win32.Packed.EnigmaProtector
Create hunting rule
Status:
Malicious
First seen:
2021-09-04 19:52:06 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  1/5
Verdict:
suspicious
Similar samples:
105f84831dddedb6f03fd79e892afaa1fed238b4f7538058f45fa28e10cb244b
DCRat
23373334a8179c86c6873e56c035ba848ea8023e2d717fc449b7f29ac2455657
DCRat
4cced7c39444bc55a0cd79b0384b24517e355e0d70ab20019af96f2a7c181cd8
DCRat
6718c04021467956503e7c53e7a6597fad77eafe88b080442d4168ab1081f32c
DCRat
844b9f86c1708ac12367aeef61e3116207fc430734449781d663755f9b4ffad8
DCRat
95f5464f22e6bbe285c912f7afd00836c7253babdf6b608cbbb5a063bb1f868f
DCRat
aebfeecd15596e7b6b4a739157229d3a0e1ea320e9352e4e725663b5a4f367b1
DCRat
d700e68d1c067c7bb297805d8429aa95cde9b6ec484c490ebdb01fc9689b1a31
DCRat
+ 180 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence spyware stealer
Link:
https://tria.ge/reports/210904-yldzlsedg9/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Process spawned unexpected child process
Unpacked files
SH256 hash:
b66b027e7379175688dac03b6368730972e7cf13da6ddb0635b382e5fe279cf5
MD5 hash:
112fa062c7a2d71e521dcf48eed730ff
SHA1 hash:
108253a6f83f47aec97b6819a707a46a2bd3b6ab
Link:
https://www.unpac.me/results/67627eff-c0ed-42fc-b889-c62d92233a55/
SH256 hash:
2f09f4d2b8e06f116dd784829712dcd3bb9528e580ccf6313e4c99fbb89a7792
MD5 hash:
1d4131fc3c2658b5a5d6132b8c2be227
SHA1 hash:
5302f3a8a266b9405502b2c27a3a9c886bfb9f34
Link:
https://www.unpac.me/results/67627eff-c0ed-42fc-b889-c62d92233a55/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2f09f4d2b8e06f116dd784829712dcd3bb9528e580ccf6313e4c99fbb89a7792

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/185350/

Comments