MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ab850d582976fd9c1bb14c1c50cffa66e9fd6e55fc27a704f01c45d1bc251dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DCRat

Vendor detections: 5

Intelligence 5 IOCs YARA 1 File information Comments 1

SHA256 hash:	3ab850d582976fd9c1bb14c1c50cffa66e9fd6e55fc27a704f01c45d1bc251dc
SHA3-384 hash:	f83939262535b39b8024dc020c32b506fb9f1243dde87ec2afd199b61cda7b201e9d12e6d480c0e2ded0b4f4034f9f4b
SHA1 hash:	6e73fec1f0db28a7cde303a1bddf3f0d1fc26e1b
MD5 hash:	f31199c1fccb1fe693824f89573e4194
humanhash:	one-enemy-golf-march
File name:	f31199c1fccb1fe693824f89573e4194
Download:	download sample
Signature	DCRat Create hunting rule
File size:	3'774'212 bytes
First seen:	2021-07-29 11:29:34 UTC
Last seen:	2021-07-29 12:46:43 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	4328f7206db519cd4e82283211d98e83 (533 x RedLineStealer, 18 x Arechclient2, 15 x DCRat)
ssdeep	98304:GUFI1/p+td2Uf1u1xBKlhVr+4k0fBtkAV8JqhBnO/EuYVKPFswc:D6Uf1u1HKnVrTNBtkbqC8FKKwc
TLSH	T17D0633123DEEE05FC1E70B717DD19C8099A0DE46207D0B5A513EEA63213AB19CFAD879
Reporter	zbetcheckin
Tags:	32 DCRat exe

Intelligence

File Origin

# of uploads :

# of downloads :

105

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/175003/

Detection(s):

SecuriteInfo.com.Trojan.Siggen14.43856.2668.24204.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/27001e12-87eb-48ac-9c85-5831b304cfc1

Result

Threat name:

DCRat

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/823771

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Creates an autostart registry key pointing to binary in C:\Windows

Creates an undocumented autostart registry key

Creates files inside the volume driver (system volume information)

Creates multiple autostart registry keys

Detected unpacking (changes PE section rights)

Drops PE files with benign system names

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sigma detected: Schedule system process

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected DCRat

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

ByteCode-MSIL.Backdoor.LightStone

Status:

Malicious

First seen:

2021-07-19 22:39:49 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

32 of 46 (69.57%)

Threat level:

5/5

Result

Malware family:

n/a

Score:

10/10

Tags:

evasion persistence themida trojan

Link:

https://tria.ge/reports/210729-se2tz4tpja/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Windows directory

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Adds Run key to start application

Checks whether UAC is enabled

Looks up external IP address via web service

Checks BIOS information in registry

Loads dropped DLL

Themida packer

Executes dropped EXE

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Modifies WinLogon for persistence

Unpacked files

SH256 hash:

dcb842f5e0da9d486cad34d4b809dcaadf9ec4d6991fdb22bdc9aea66489ad1a

MD5 hash:

c02a029c978f13b753c6b578b1588c75

SHA1 hash:

e125d59451e7f467bfd329a00a506decbcd91d83

Link:

https://www.unpac.me/results/637cb482-a811-4bcf-98a7-e15289569f82/

SH256 hash:

84629d2ee644680c60a81f7b6dacd48019ee0cc0f68b0d2d9cd25133347ac5ff

MD5 hash:

d7cc0a4674277ca9e0cf5c842efea428

SHA1 hash:

bb43f19f9f2e45d0e98d6a9da04f61a788546f06

Link:

https://www.unpac.me/results/637cb482-a811-4bcf-98a7-e15289569f82/

SH256 hash:

3ab850d582976fd9c1bb14c1c50cffa66e9fd6e55fc27a704f01c45d1bc251dc

MD5 hash:

f31199c1fccb1fe693824f89573e4194

SHA1 hash:

6e73fec1f0db28a7cde303a1bddf3f0d1fc26e1b

Link:

https://www.unpac.me/results/637cb482-a811-4bcf-98a7-e15289569f82/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.64

Link:

https://yomi.yoroi.company/submissions/3ab850d582976fd9c1bb14c1c50cffa66e9fd6e55fc27a704f01c45d1bc251dc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.