MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e44fa58db896416c8d221a9f73447c357ab55ad8ca835bd7f24e22edf97770d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e44fa58db896416c8d221a9f73447c357ab55ad8ca835bd7f24e22edf97770d
SHA3-384 hash: 1ea66ae1d562efbfc7ad5a5d5d941393ca0d24a4ac22ab23bd2cf8d51499c5347a8806a225b20388aaa0f6b14c495714
SHA1 hash: 7371b7726fc535ee43ad82574b4ea1e57df9e433
MD5 hash: 4070349747c48c574170388c307aa01d
humanhash: wisconsin-stream-oscar-orange
File name:4070349747c48c574170388c307aa01d.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:459'264 bytes
First seen:2021-08-03 07:43:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f326f88ca83c9aacaa44acfb8884f1d4 (8 x RedLineStealer, 4 x DCRat, 2 x CoinMiner)
ssdeep 12288:G5oaqjp/9ThISUNahn/KKkGZLOSnI4+OEYH:G5v4DThqen/+GZBv+RC
TLSH T1FCA4F19AB2E01098EBF544FADA821745E731B4751B14A3DB2B7852B31B6B4D6CF3C390
Reporter abuse_ch
Tags:DCRat exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4070349747c48c574170388c307aa01d.exe
Verdict:
No threats detected
Analysis date:
2021-08-03 07:46:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c55d09a2-c17e-40e1-88d7-8e35aa0e4c72

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175962/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.33822938.14445.490.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process from a recently created file
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d1e63e21-971a-4941-bf50-1417f7a81227
Result
Threat name:
DCRat Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/825953
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Disables security and backup related services
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses schtasks.exe or at.exe to add and modify task schedules
Wscript starts Powershell (via cmd or directly)
Yara detected BatToExe compiled binary
Yara detected DCRat
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 458365 Sample: JGJtVyC9dr.exe Startdate: 03/08/2021 Architecture: WINDOWS Score: 100 90 45.137.190.236, 49723, 49725, 49726 BITWEB-ASRU Russian Federation 2->90 96 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->96 98 Antivirus detection for dropped file 2->98 100 Multi AV Scanner detection for dropped file 2->100 102 7 other signatures 2->102 11 JGJtVyC9dr.exe 9 2->11         started        14 svchost.exe 2->14         started        17 svchost.exe 1 2->17         started        signatures3 process4 dnsIp5 86 C:\Users\user\AppData\Local\Temp\...\extd.exe, PE32+ 11->86 dropped 19 cmd.exe 3 11->19         started        22 conhost.exe 11->22         started        92 127.0.0.1 unknown unknown 14->92 94 192.168.2.1 unknown unknown 14->94 file6 process7 signatures8 104 Wscript starts Powershell (via cmd or directly) 19->104 106 Uses schtasks.exe or at.exe to add and modify task schedules 19->106 108 Adds a directory exclusion to Windows Defender 19->108 24 welldone.exe 2 4 19->24         started        28 vbn.exe 19->28         started        30 zxc.exe 1 18 19->30         started        32 7 other processes 19->32 process9 dnsIp10 68 C:\Users\user\AppData\...\MicrosoftApi.exe, PE32+ 24->68 dropped 118 Multi AV Scanner detection for dropped file 24->118 120 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 24->120 122 Machine Learning detection for dropped file 24->122 124 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 24->124 35 MicrosoftApi.exe 1 5 24->35         started        70 C:\...\WinruntimedhcpNetcommon.exe, PE32 28->70 dropped 72 C:\Winruntimedhcp\VJt8Zy0BQ8pAy.bat, ASCII 28->72 dropped 39 wscript.exe 28->39         started        74 C:\Windows\Client.exe, PE32 30->74 dropped 76 C:\Users\user\AppData\Local\...\nsProcess.dll, PE32 30->76 dropped 78 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 30->78 dropped 126 Disables security and backup related services 30->126 41 cmd.exe 1 30->41         started        43 cmd.exe 30->43         started        88 cdn.discordapp.com 162.159.134.233, 443, 49713, 49715 CLOUDFLARENETUS United States 32->88 80 C:\Users\user\AppData\Local\Temp\...\zxc.exe, PE32 32->80 dropped 82 C:\Users\user\AppData\Local\...\welldone.exe, PE32+ 32->82 dropped 84 C:\Users\user\AppData\Local\Temp\...\vbn.exe, PE32 32->84 dropped file11 signatures12 process13 file14 66 C:\Users\user\AppData\...\tmpC5D6.tmp.cmd, DOS 35->66 dropped 110 Multi AV Scanner detection for dropped file 35->110 112 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 35->112 114 Machine Learning detection for dropped file 35->114 45 cmd.exe 35->45         started        48 cmd.exe 35->48         started        116 Wscript starts Powershell (via cmd or directly) 39->116 50 net.exe 1 41->50         started        52 conhost.exe 41->52         started        54 conhost.exe 43->54         started        56 sc.exe 43->56         started        signatures15 process16 signatures17 128 Wscript starts Powershell (via cmd or directly) 45->128 130 Adds a directory exclusion to Windows Defender 45->130 58 conhost.exe 45->58         started        60 timeout.exe 45->60         started        62 conhost.exe 48->62         started        64 net1.exe 50->64         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3e44fa58db896416c8d221a9f73447c357ab55ad8ca835bd7f24e22edf97770d/
Threat name:
Win64.Exploit.BypassUac
Create hunting rule
Status:
Malicious
First seen:
2021-08-02 19:05:17 UTC
AV detection:
7 of 28 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hzcpuwg3rfsbnsgsegu7onchynl2wvnnrsudlpl7etrc5x4xo4gq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/210803-3v8knwzas6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
3e44fa58db896416c8d221a9f73447c357ab55ad8ca835bd7f24e22edf97770d
MD5 hash:
4070349747c48c574170388c307aa01d
SHA1 hash:
7371b7726fc535ee43ad82574b4ea1e57df9e433
Link:
https://www.unpac.me/results/dfd60c86-9c98-4fca-81e9-25793b46b857/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3e44fa58db896416c8d221a9f73447c357ab55ad8ca835bd7f24e22edf97770d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe 3e44fa58db896416c8d221a9f73447c357ab55ad8ca835bd7f24e22edf97770d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1493960/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/175962/

Comments