MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30422090b72e281b8ac5bd2e2169117d758324fda8bb742baaf3c370eb30bc62. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 18


Intelligence 18 IOCs 1 YARA 45 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 30422090b72e281b8ac5bd2e2169117d758324fda8bb742baaf3c370eb30bc62
SHA3-384 hash: e510db6b362b869cdf55e68b31538c36415509843073961d4fecf9f4766d802425c2fdc496b4361175db4f0c17cad488
SHA1 hash: 1b4efda4a2541dff0790e6272e279caacdaf2f38
MD5 hash: 77d8ff25203fb95e3be27436c7422473
humanhash: item-wisconsin-india-violet
File name:JlsGsa8.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:9'538'392 bytes
First seen:2025-08-06 18:40:13 UTC
Last seen:2025-08-06 19:28:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 196608:xu1dQL5fwiOmhL2FDfnGM3Pl0CKOnCXa+ou:xu1gwPmw9fpPuGPVu
Threatray 8 similar samples on MalwareBazaar
TLSH T15BA633257B8C85E9C0DD43BDF4620844F776CA83E297E78E44A9B6B46E47740E8870F6
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter abuse_ch
Tags:DCRat exe RAT


Avatar
abuse_ch
DCRat C2:
http://357129cm.nyash.es/PythonPollLowbasePrivate.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://357129cm.nyash.es/PythonPollLowbasePrivate.php https://threatfox.abuse.ch/ioc/1565231/

Intelligence

File Origin
# of uploads :
2
# of downloads :
69
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
JlsGsa8.exe
Verdict:
Malicious activity
Analysis date:
2025-08-06 18:40:47 UTC
Tags:
stealer auto-startup dcrat rat remote darkcrystal upx golang salatstealer
Link:
https://app.any.run/tasks/5eef5eb8-1421-4c35-a43b-5a55861734a9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/19286/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.98496432.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6893a1b511d7f9b979e62bb0
Tags:
autorun crypt virus spawn
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Сreating synchronization primitives
DNS request
Sending a UDP request
Creating a file in the %AppData% directory
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Restart of the analyzed sample
Searching for synchronization primitives
Launching a service
Loading a system driver
Creating a file
Creating a window
Searching for the window
Running batch commands
Creating a process with a hidden window
Loading a suspicious library
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 invalid-signature obfuscated packed signed
Link:
https://www.filescan.io/uploads/6893a1b29ef4d2ff7ceebd71/reports/bfd6ddea-8231-474c-a297-5ebc85b215ef/overview
Verdict:
Malicious
Labled as:
Barys.Generic
Link:
https://www.hybrid-analysis.com/sample/30422090b72e281b8ac5bd2e2169117d758324fda8bb742baaf3c370eb30bc62
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e895dc7a-7d24-446d-9320-2032b9b3a36e
Result
Threat name:
DCRat, PureLog Stealer, Salat Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1751624
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops large PE files
Drops VBS files to the startup folder
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected Salat Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1751624 Sample: JlsGsa8.exe Startdate: 06/08/2025 Architecture: WINDOWS Score: 100 94 357129cm.nyash.es 2->94 96 dns.google 2->96 110 Suricata IDS alerts for network traffic 2->110 112 Found malware configuration 2->112 114 Antivirus detection for dropped file 2->114 116 13 other signatures 2->116 11 JlsGsa8.exe 6 2->11         started        15 gxsetup.exe 2->15         started        17 wscript.exe 2->17         started        19 3 other processes 2->19 signatures3 process4 file5 88 C:\Users\user\AppData\Roaming\gxsetup.exe, PE32 11->88 dropped 90 C:\Users\user\AppData\Local\Temp\test.exe, PE32 11->90 dropped 92 C:\...\3527e61efa3b42069f7de17c652a53a1.xml, XML 11->92 dropped 134 Drops VBS files to the startup folder 11->134 136 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->136 138 Uses schtasks.exe or at.exe to add and modify task schedules 11->138 140 Drops large PE files 11->140 21 JlsGsa8.exe 5 11->21         started        25 test.exe 28 3 11->25         started        28 schtasks.exe 1 11->28         started        142 Injects a PE file into a foreign processes 15->142 30 gxsetup.exe 15->30         started        144 Windows Scripting host queries suspicious COM object (likely to drop second stage) 17->144 signatures6 process7 dnsIp8 72 C:\Users\user\AppData\Local\Temp\123.exe, PE32 21->72 dropped 74 C:\Users\user\AppData\Roaming\...\gxsetup.vbs, ASCII 21->74 dropped 118 Injects a PE file into a foreign processes 21->118 32 123.exe 3 6 21->32         started        36 JlsGsa8.exe 21->36         started        98 dns.google 8.8.4.4, 443, 49821, 49822 GOOGLEUS United States 25->98 100 104.21.48.1, 443, 49823 CLOUDFLARENETUS United States 25->100 76 C:\Program Filesbehaviorgraphoogle\Chrome\...\test.exe, PE32 25->76 dropped 78 C:\Program Files (x86)\Microsoft\...\test.exe, PE32 25->78 dropped 120 Antivirus detection for dropped file 25->120 122 Found many strings related to Crypto-Wallets (likely being stolen) 25->122 124 Tries to harvest and steal browser information (history, passwords, etc) 25->124 126 Tries to steal Crypto Currency Wallets 25->126 38 test.exe 25->38         started        40 test.exe 25->40         started        42 conhost.exe 28->42         started        44 123.exe 30->44         started        46 gxsetup.exe 30->46         started        file9 signatures10 process11 file12 68 C:\...\mscontainer.exe, PE32 32->68 dropped 70 C:\...\YYRWGVAbFyg5C9cpx7gumNO0Reewa.vbe, data 32->70 dropped 108 Multi AV Scanner detection for dropped file 32->108 48 wscript.exe 1 32->48         started        51 wscript.exe 44->51         started        signatures13 process14 signatures15 106 Windows Scripting host queries suspicious COM object (likely to drop second stage) 48->106 53 cmd.exe 48->53         started        55 cmd.exe 51->55         started        process16 process17 57 mscontainer.exe 53->57         started        62 conhost.exe 53->62         started        64 conhost.exe 55->64         started        66 mscontainer.exe 55->66         started        dnsIp18 102 357129cm.nyash.es 172.67.173.239, 49699, 49700, 49701 CLOUDFLARENETUS United States 57->102 104 104.21.30.213, 49864, 80 CLOUDFLARENETUS United States 57->104 80 C:\Users\user\Desktop\uPRoXvMV.log, PE32 57->80 dropped 82 C:\Users\user\Desktop\kbnxnjRn.log, PE32 57->82 dropped 84 C:\Users\user\Desktop\glwHgmRu.log, PE32 57->84 dropped 86 4 other malicious files 57->86 dropped 128 Antivirus detection for dropped file 57->128 130 Multi AV Scanner detection for dropped file 57->130 132 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 57->132 file19 signatures20
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/30422090b72e281b8ac5bd2e2169117d758324fda8bb742baaf3c370eb30bc62
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable PE (Portable Executable) SOS: 0.37 Win 32 Exe x86
Link:
https://app.malva.re/file/77d8ff25203fb95e3be27436c7422473
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/30422090b72e281b8ac5bd2e2169117d758324fda8bb742baaf3c370eb30bc62/
Verdict:
Malicious
Threat:
Family.DCRAT
Link:
https://tip.neiki.dev/file/30422090b72e281b8ac5bd2e2169117d758324fda8bb742baaf3c370eb30bc62
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2025-08-06 18:40:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
20 of 23 (86.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gbbcbefxfyubxcwfxuxcc2irpv2ygjh5vc5xik5k6pbxb2zqxrra._file
Verdict:
malicious
Label(s):
dcrat
Create hunting rule
unc_loader_051
Create hunting rule
Similar samples:
0a972a87865a5cdece1bffd569721c845b7ca0a520b227978624705bc8e6a52f
DCRat
35771b256b8926ea266d84a3344618c3871ab0f730b8894c979a3fbb47fe8a7d
DCRat
8c976b068ac5de37d56ac173cc28c36f7ebecf98c05d527defa282564919333a
DCRat
8cb4dc684a331c5879421bb33f9934bbd3198dc28af448968eb2e4f61d35cfb4
DCRat
c71ab381c16b8f14e2a83fbacecc33895966eb98de97bfe21b97c604241a7d6f
DCRat
d27254c6dff8ec2d0262ec8a302d740770c02c2cb012d82cfb1c15dfb2572805
DCRat
error
DCRat
Result
Malware family:
salatstealer
Create hunting rule
Score:
  10/10
Tags:
family:dcrat family:salatstealer credential_access discovery execution infostealer persistence rat spyware stealer upx
Link:
https://tria.ge/reports/250806-xbkhzavnt8/
Behaviour
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Suspicious use of SetThreadContext
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Drops startup file
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
DCRat payload
DcRat
Dcrat family
Detect SalatStealer payload
Salatstealer family
salatstealer
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/83e8dee7-1743-4fb1-ae47-8b899cb5ee59
Unpacked files
SH256 hash:
30422090b72e281b8ac5bd2e2169117d758324fda8bb742baaf3c370eb30bc62
MD5 hash:
77d8ff25203fb95e3be27436c7422473
SHA1 hash:
1b4efda4a2541dff0790e6272e279caacdaf2f38
Link:
https://www.unpac.me/results/d2deac5c-e25f-454e-922b-72ce46d0a8e1/
SH256 hash:
e278de21162a7368e0532a40acdc493b11aec8a2788dd15a7b76414b6f22aa37
MD5 hash:
58ff4db324ffa63c0b7375468826e025
SHA1 hash:
a14b0c353dccae3ed464f12dbc78c2dd2b571d9d
Link:
https://www.unpac.me/results/d2deac5c-e25f-454e-922b-72ce46d0a8e1/
SH256 hash:
acf7aaaf78f3b08e7b174dd345e50a326a9696f87229025ee996c26f7088a612
MD5 hash:
89d1977af87e4db25c0df607e12b1798
SHA1 hash:
c554fedbc3674de86579cd3c994fd9d53bddae64
Detections:
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Link:
https://www.unpac.me/results/d2deac5c-e25f-454e-922b-72ce46d0a8e1/
SH256 hash:
ba4eb9ac31b5f361b4326d26e83e407fbbd37c5217bae4e34172e749cd3be439
MD5 hash:
13881b205796ac700341be5365e69e2e
SHA1 hash:
5bc3b54a51d99a53cf0ee54796cf1656103fbeb0
Link:
https://www.unpac.me/results/d2deac5c-e25f-454e-922b-72ce46d0a8e1/
SH256 hash:
0519a256a2a15274e50bcf28cc6fe3dabb936fa29e72c1f503000eb9e418efc5
MD5 hash:
61b8414ee3046ad1c12148f7b299bc87
SHA1 hash:
c84cb197e79f82014d571fc0a526832418178177
Link:
https://www.unpac.me/results/d2deac5c-e25f-454e-922b-72ce46d0a8e1/
SH256 hash:
4f9000208a6a00b86f5675d5a22957bbdb2ca695e3ac675f8ec97e77f10639ad
MD5 hash:
298e0e52b61c9006fc0b5c2479dfb87a
SHA1 hash:
e886e0ab71b4bf2846077bd924d4e3bb7dbdafc9
Link:
https://www.unpac.me/results/d2deac5c-e25f-454e-922b-72ce46d0a8e1/
SH256 hash:
7b432a78a9d55d9eb6ba694c45f491acc6fe8902a3187f3b5381b2dc51eeb377
MD5 hash:
0d83d29a552c26f3e9febdc0890c15c7
SHA1 hash:
3a2ab07e6d40906f0e6d09a3633f70d1c615798f
Detections:
SUSP_Imphash_Mar23_3
Create hunting rule
Link:
https://www.unpac.me/results/d2deac5c-e25f-454e-922b-72ce46d0a8e1/
SH256 hash:
d689f9be5669a7180ec3fe04762f5776dc0babd54340ed2af667b2167ff74857
MD5 hash:
f6b8ea741235c899925b50aaeae4b077
SHA1 hash:
7ae0bfd15cead10044e63c5aea1a1eebc4430daf
Detections:
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Link:
https://www.unpac.me/results/d2deac5c-e25f-454e-922b-72ce46d0a8e1/
SH256 hash:
908a5d7795ef064146a348713f24eb720ee7bc3b7dea8237dd036491706e40b6
MD5 hash:
67fd63a22b76585875da339657f9c9c7
SHA1 hash:
2b486fcca028b77675f430873a72180eb4f64b0c
Link:
https://www.unpac.me/results/d2deac5c-e25f-454e-922b-72ce46d0a8e1/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/d2deac5c-e25f-454e-922b-72ce46d0a8e1/
SH256 hash:
755a01da4f37a429394084dda71a56743e4efbc0a4160d4a9da2821be1193db3
MD5 hash:
139e350c40461f1ce1acee77a29b5896
SHA1 hash:
734ef277914d8f68e359f38ed212fe3230c5f144
Link:
https://www.unpac.me/results/d2deac5c-e25f-454e-922b-72ce46d0a8e1/
SH256 hash:
50944e680fcf50bf2513f55d2a3155a6f6802da1f26811a8349c5b09ad4706c7
MD5 hash:
eb612c2f1e4ccc271fc01105c971d779
SHA1 hash:
c3f87ef943e8ee2fe9ee21835c98da3f7a87494b
Link:
https://www.unpac.me/results/d2deac5c-e25f-454e-922b-72ce46d0a8e1/
SH256 hash:
9fe84045ff6d1452f556fe1d53386e28cffe5197acd85164f2ea9c81f3913d5b
MD5 hash:
cc125181d6741d6792f70aee80aa4a21
SHA1 hash:
c72f42e1278db3f13053016c4cbdd606a5a4f8e1
Link:
https://www.unpac.me/results/d2deac5c-e25f-454e-922b-72ce46d0a8e1/
SH256 hash:
6f724730b5c6edd0f2551e1bc47c9bd922aa634a48910a43961e632007a9e64d
MD5 hash:
5e5c6c0b4c80b24d3972f67ea3698ea8
SHA1 hash:
d2a5a0466c79bbf160c950d1092e6ac4d3619fbf
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/d2deac5c-e25f-454e-922b-72ce46d0a8e1/
SH256 hash:
a271a28039de150bd541fa5ad59f5a897802f912e74ca2cfced99d4daa7056a0
MD5 hash:
422c87d987c3773f5f0dc6ceacff334b
SHA1 hash:
1bb00411e8b8bd17ce18e9adff4034f695b68f04
Link:
https://www.unpac.me/results/d2deac5c-e25f-454e-922b-72ce46d0a8e1/
SH256 hash:
73dfaf7fab0751d2e4eedda7f43418385a30eef22a99fa2ac454f381bc2039ae
MD5 hash:
38cf95d64c0cd27459cfa56cc571ef0a
SHA1 hash:
1f54074c5fc29c7a474e382eb555b7d94943e2dc
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/d2deac5c-e25f-454e-922b-72ce46d0a8e1/
SH256 hash:
2fc58dd4e89b2ae46e72c0c236d9d1031f370e6ac6c465cb93d571bfe52bcfd5
MD5 hash:
75616a4476cb4096fa44a8605c26e312
SHA1 hash:
addcbf974ad2aacc2ccd9ba62bca8d1db67d5ed5
Link:
https://www.unpac.me/results/d2deac5c-e25f-454e-922b-72ce46d0a8e1/
SH256 hash:
9e899f646cbe676f3589dedd5e24748fea7780941569c0cabcb411735636f545
MD5 hash:
8daed86d9762f396c20fb74241f2bb8a
SHA1 hash:
c49f50057d364c7591b0f12895a507f121490ca9
Link:
https://www.unpac.me/results/d2deac5c-e25f-454e-922b-72ce46d0a8e1/
SH256 hash:
0a05a3203966f46e07ac527be2ace8cf7087408aa6635f3c74d7c5e90a8e401d
MD5 hash:
22eb95e88322a59d52b3652ae54b45d8
SHA1 hash:
e1e8709ed8714c8de3fea052b420cc734720ba6e
Link:
https://www.unpac.me/results/d2deac5c-e25f-454e-922b-72ce46d0a8e1/
SH256 hash:
ee78509c625db32a34f06ad7ed8e8f58ca0309160c7971b975696e3d25c39939
MD5 hash:
97ae842c590e8ea7e544afa3bf0c3a1e
SHA1 hash:
0663425ea450d7b92b94e94d56f6287cc58dd88a
Detections:
cn_utf8_windows_terminal
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
Create hunting rule
Link:
https://www.unpac.me/results/d2deac5c-e25f-454e-922b-72ce46d0a8e1/
SH256 hash:
5153b60b002a0b82848661b6dc00df9e184ef2a3f800aac3e90f2f868b403c46
MD5 hash:
f99323ccbdf71989e975c21ef85ebe10
SHA1 hash:
bd71d9c530579b5944bfdd1a6a3b1b4f52f4eab3
Link:
https://www.unpac.me/results/d2deac5c-e25f-454e-922b-72ce46d0a8e1/
SH256 hash:
67cffbbc62528b0c5801781ea9429305621980ed0e2290c35a7c4012baccdf24
MD5 hash:
1a960242a045d5a80a96ca33a44d9922
SHA1 hash:
771b09a55c72ae7ac6d599ac75384748f5b51c2f
Link:
https://www.unpac.me/results/d2deac5c-e25f-454e-922b-72ce46d0a8e1/
SH256 hash:
e998c9964958c5faf22b0c1b14c586b343387c6313ac29f36031d84f41b509d1
MD5 hash:
668032424eb32715c99044e0efc454e7
SHA1 hash:
b6a9525637da1580eab8d2f797faf03365336d68
Link:
https://www.unpac.me/results/d2deac5c-e25f-454e-922b-72ce46d0a8e1/
SH256 hash:
1096b4993225a4087ddf3b7fbc9c0da66099a963054d5cdd1df9ec296bf8f809
MD5 hash:
7acbcd469d4db44f2403550483d20695
SHA1 hash:
a032b7eca9399774a4d8730d2b7bb74e6ff3eff8
Detections:
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Link:
https://www.unpac.me/results/d2deac5c-e25f-454e-922b-72ce46d0a8e1/
Malware family:
SalatStealer
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/30422090b72e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/30422090b72e281b8ac5bd2e2169117d758324fda8bb742baaf3c370eb30bc62

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Go_GOMAXPROCS
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:Heuristics_ChromeABE
Create hunting rule
Author:Still
Description:attempts to match instructions related to Chrome App-bound Encryption elevation service; possibly spotted amongst infostealers
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:Macos_Infostealer_Wallets_8e469ea0
Create hunting rule
Author:Elastic Security
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:Multi_Generic_Threat_19854dc2
Create hunting rule
Author:Elastic Security
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:Rooter
Create hunting rule
Author:Seth Hardy
Description:Rooter
Rule name:RooterStrings
Create hunting rule
Author:Seth Hardy
Description:Rooter Identifying Strings
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe 30422090b72e281b8ac5bd2e2169117d758324fda8bb742baaf3c370eb30bc62

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3597697/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/19286/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments