MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b20be034ea25bcf142fe6d985c38918bde59c780b3ac7bdef4f0b88048f5dd0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b20be034ea25bcf142fe6d985c38918bde59c780b3ac7bdef4f0b88048f5dd0
SHA3-384 hash: af6d34dd91484ca85ef566f9277706d763ea40bd5c202ed1a4643bce33a1aa9b55bd5d7c062bb591b95caf67ece05ea3
SHA1 hash: a8cc84f01e26fa44c411784169c27425ae580b03
MD5 hash: 728f3575ead222e4e13b9558291547be
humanhash: thirteen-stairway-winter-charlie
File name:728f3575ead222e4e13b9558291547be
Download: download sample
Signature DCRat
Create hunting rule
File size:1'369'600 bytes
First seen:2021-08-17 21:05:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:/5VMWIJwEsVuAVmWSG6tHeKYqd2yovVfv2kDxyf08FToITHH+4:xiWbnSG6ACrmVn2kDxy7GIT+
Threatray 129 similar samples on MalwareBazaar
TLSH T1A75549423E4ADD03E0A91637C9DFA4340BA8BD407B66CB1A7E9F335D65423A71D0E5CA
Reporter zbetcheckin
Tags:32 DCRat exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
728f3575ead222e4e13b9558291547be
Verdict:
Malicious activity
Analysis date:
2021-08-17 21:08:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/284d187d-c5f3-4827-8dfc-972860a312af

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/180156/
Detection(s):
Win.Malware.Uztuby-9848412-0
Create hunting rule

Win.Packed.Uztuby-9851623-0
Create hunting rule

Win.Packed.Uztuby-9875336-0
Create hunting rule

Win.Packed.Uztuby-9877681-0
Create hunting rule

Win.Packed.Uztuby-9878629-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a file
Using the Windows Management Instrumentation requests
Launching a process
Creating a file in the Windows subdirectories
Sending a UDP request
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt
Sending an HTTP GET request
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a46fc254-3c56-4706-8ca9-edd3a3e0bfa4
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/834741
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Creates an autostart registry key pointing to binary in C:\Windows
Creates multiple autostart registry keys
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 467172 Sample: ZhmNYDjrym Startdate: 17/08/2021 Architecture: WINDOWS Score: 100 40 Multi AV Scanner detection for dropped file 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected DCRat 2->44 46 7 other signatures 2->46 7 ZhmNYDjrym.exe 9 28 2->7         started        12 BAMywgVWnIaBAQFBnLOzLDmLp.exe 15 2 2->12         started        14 dllhost.exe 2->14         started        16 8 other processes 2->16 process3 dnsIp4 36 192.168.2.1 unknown unknown 7->36 28 C:\Windows\Temp\...\dllhost.exe, PE32 7->28 dropped 30 C:\Windows\System32\mf\dllhost.exe, PE32 7->30 dropped 32 C:\Windows\...\BAMywgVWnIaBAQFBnLOzLDmLp.exe, PE32 7->32 dropped 34 10 other malicious files 7->34 dropped 48 Creates multiple autostart registry keys 7->48 50 Creates an autostart registry key pointing to binary in C:\Windows 7->50 52 Creates processes via WMI 7->52 18 cmd.exe 7->18         started        38 94.103.80.73, 49713, 49714, 49715 VDSINA-ASRU Russian Federation 12->38 54 Multi AV Scanner detection for dropped file 12->54 56 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->56 58 Machine Learning detection for dropped file 12->58 60 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 12->60 file5 signatures6 process7 process8 20 conhost.exe 18->20         started        22 chcp.com 18->22         started        24 w32tm.exe 18->24         started        26 WmiPrvSE.exe 18->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3b20be034ea25bcf142fe6d985c38918bde59c780b3ac7bdef4f0b88048f5dd0/
Threat name:
ByteCode-MSIL.Backdoor.LightStone
Create hunting rule
Status:
Malicious
First seen:
2021-08-17 20:56:55 UTC
AV detection:
25 of 46 (54.35%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
0dc975463ed56da75689bc1dbee1f22007743a1beaf5417951c186b967a597f8
DCRat
3842802e7361274e141d7b500af86e3835472e3cae874bb9e36a5c5d6216e330
DCRat
4cba3cb0188c4a064f6dd99ead74f76156d73019e15eec1a3653b28c8ac7a112
DCRat
629c671a92b4a3af617c2d8fe133430ab77aac0acb07914f047f8868eb9ed92a
DCRat
8801faeab21ac37b1785a78c635cba75f914d2056f1b74ddefbcc1b17f836edc
DCRat
d228ba04f83cb17f60f1243c15765c63cbc1193e2c38e45c55fbe0928593f7ea
DCRat
d693f1e8c34d0154241010f82828d81c71edd89f80c4c97ff9bd6c5a570ac2a5
DCRat
d6f77ffe0af94a159322e345040797c44aba43f2188c82a341dc8efc3fa216fd
DCRat
+ 119 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer persistence rat
Link:
https://tria.ge/reports/210817-xphd8vys6e/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Adds Run key to start application
Executes dropped EXE
DCRat Payload
DcRat
Process spawned unexpected child process
Unpacked files
SH256 hash:
bb4b57723fbcdfbb47807454b2aa4be9fae345110c446f860484e22ee8fe5fcb
MD5 hash:
1a69b97daf93b539a2bd23b18d5e38f2
SHA1 hash:
ff73bba23a3d3e5a6486cf25e8f62b786e40f95d
Link:
https://www.unpac.me/results/9ebb610f-f59f-4fe9-920b-6261ad6d76e5/
SH256 hash:
c5af0a10880d9cce34a6116b46bc158dfb68b85638bc6eb217d966c1a0cd3d0e
MD5 hash:
673792e647467bc28e15279877cc4c77
SHA1 hash:
cbea63a47e7534c1e671c2bc3e2a2ce236435103
Link:
https://www.unpac.me/results/9ebb610f-f59f-4fe9-920b-6261ad6d76e5/
SH256 hash:
64c61736d27b18db48aaf8801fe1d8dcc4b1e9be24c0babc03d0934cfb3709ef
MD5 hash:
22ae100377f31e27d3eb21e6dc30cb34
SHA1 hash:
85f505328a0acd2cfa74835cc062bdc47e9d24b7
Link:
https://www.unpac.me/results/9ebb610f-f59f-4fe9-920b-6261ad6d76e5/
SH256 hash:
48d6be0ff082776c566a19459a5963f08d2c4d4a1c947de7a99b07560e236295
MD5 hash:
1ea5ecfbe64e314d9bb062046d5bfb75
SHA1 hash:
3ceeb4ea27ac76da489a55f242faf11ee0a2d2a2
Link:
https://www.unpac.me/results/9ebb610f-f59f-4fe9-920b-6261ad6d76e5/
Parent samples :
54de552295e919218a7d43a1d0114bae169a79a1963113d615fd8bce428b385d
2774262a54ea6008d5b508f4d95eb811bd5d7dc50e1c0659d016ab33d966e729
SH256 hash:
f1d4da4b5ca930a00369f62134ba352ec89c145004183ee33502bd18bd384278
MD5 hash:
53779a7a81b7dc3dc76bdc7e21edf026
SHA1 hash:
2558712a2d7bab1bf2c0962e3098fb54558273a7
Link:
https://www.unpac.me/results/9ebb610f-f59f-4fe9-920b-6261ad6d76e5/
SH256 hash:
2947c44d5325dec74194ae32b77b0cacc5c9bc3829482361dd33715adc9c6202
MD5 hash:
0402e0710a07030f88f36192243c1d5f
SHA1 hash:
1ba58a9281deeb055ec25d5406e265a9304e05b8
Link:
https://www.unpac.me/results/9ebb610f-f59f-4fe9-920b-6261ad6d76e5/
SH256 hash:
90aa76311a6d6c63e3d4114398ff023b362011b2aa04e26c6a4152245a8e8927
MD5 hash:
cd0c964aa3f387be6b7355de07a9c99a
SHA1 hash:
144af8a3d6668a805b9185aaf963426d01e59d53
Link:
https://www.unpac.me/results/9ebb610f-f59f-4fe9-920b-6261ad6d76e5/
SH256 hash:
3b20be034ea25bcf142fe6d985c38918bde59c780b3ac7bdef4f0b88048f5dd0
MD5 hash:
728f3575ead222e4e13b9558291547be
SHA1 hash:
a8cc84f01e26fa44c411784169c27425ae580b03
Link:
https://www.unpac.me/results/9ebb610f-f59f-4fe9-920b-6261ad6d76e5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3b20be034ea25bcf142fe6d985c38918bde59c780b3ac7bdef4f0b88048f5dd0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe 3b20be034ea25bcf142fe6d985c38918bde59c780b3ac7bdef4f0b88048f5dd0

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1542663/
Cape
Cape
https://www.capesandbox.com/analysis/180156/

Comments


Avatar
zbet commented on 2021-08-17 21:05:35 UTC

url : hxxp://135.125.172.201/winDriversavesruntimecrt.exe