MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40f9c1d0e2e988dbd82d8a37141cf4b03e8cff1f427424ea0966c44cac999b8f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 40f9c1d0e2e988dbd82d8a37141cf4b03e8cff1f427424ea0966c44cac999b8f
SHA3-384 hash: c45ac725af2a98644f986dd50b6dddc6b75290b6d9a0ebfc2c914b15c48863b9ea35f1f9256dc922553488fc0768f0d4
SHA1 hash: 2dab1922caec84d9f3a78023c376368f4fcd8c93
MD5 hash: 5e982c02cb02514fbbf943021003ae16
humanhash: virginia-alpha-oxygen-single
File name:5e982c02cb02514fbbf943021003ae16
Download: download sample
Signature DCRat
Create hunting rule
File size:1'613'467 bytes
First seen:2021-07-09 05:27:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:P2G/nvxW3W2/v0oHsazPFQJTIzdke2IFywtx7bBVKwXBEVn0nDtKe+4T:PbA3lE27zPeT+ks0k0VUDkZC
TLSH T1A17549027A46DD12C0291637C9DF94B807A8BD40EB77DB1B7A9B7B5D74713A20E092CB
Reporter zbetcheckin
Tags:32 DCRat exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
shell.exe
Verdict:
Malicious activity
Analysis date:
2021-07-09 05:29:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bc5764ee-6697-4ab5-a108-da3a74c09557

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170606/
Detection(s):
Win.Malware.Uztuby-9848412-0
Create hunting rule

Win.Packed.Uztuby-9851623-0
Create hunting rule

Win.Packed.Uztuby-9875336-0
Create hunting rule

Win.Malware.Qshell-9875653-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9078b125-c564-448d-9511-02e7ffc196f2
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/813861
Signature
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Schedule system process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 446272 Sample: SYGQZeQUTb Startdate: 09/07/2021 Architecture: WINDOWS Score: 100 72 ipinfo.io 2->72 74 ip-api.com 2->74 84 Found malware configuration 2->84 86 Multi AV Scanner detection for dropped file 2->86 88 Multi AV Scanner detection for submitted file 2->88 92 7 other signatures 2->92 11 SYGQZeQUTb.exe 3 6 2->11         started        14 winlogon.exe 3 2->14         started        17 spoolsv.exe 2->17         started        19 6 other processes 2->19 signatures3 90 May check the online IP address of the machine 74->90 process4 dnsIp5 70 C:\...\WinDriverhostrefMonitordll.exe, PE32 11->70 dropped 22 wscript.exe 1 11->22         started        106 Multi AV Scanner detection for dropped file 14->106 108 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->108 110 May check the online IP address of the machine 14->110 112 Machine Learning detection for dropped file 17->112 114 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 17->114 24 conhost.exe 17->24         started        76 141.95.28.201, 49726, 49732, 49740 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 19->76 78 ip-api.com 208.95.112.1, 49728, 49739, 49742 TUT-ASUS United States 19->78 80 ipinfo.io 34.117.59.81, 443, 49727, 49738 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 19->80 26 powershell.exe 19->26         started        29 conhost.exe 19->29         started        file6 signatures7 process8 dnsIp9 31 cmd.exe 1 22->31         started        82 192.168.2.1 unknown unknown 26->82 33 conhost.exe 26->33         started        process10 process11 35 WinDriverhostrefMonitordll.exe 13 18 31->35         started        39 conhost.exe 31->39         started        file12 62 C:\Windows\System32\wbem\...\WmiPrvSE.exe, PE32 35->62 dropped 64 C:\Windows\System32\appraiser\winlogon.exe, PE32 35->64 dropped 66 C:\Windows\System32\...\RuntimeBroker.exe, PE32 35->66 dropped 68 3 other malicious files 35->68 dropped 94 Multi AV Scanner detection for dropped file 35->94 96 Creates an undocumented autostart registry key 35->96 98 Machine Learning detection for dropped file 35->98 102 6 other signatures 35->102 41 schtasks.exe 1 35->41         started        44 schtasks.exe 1 35->44         started        46 schtasks.exe 1 35->46         started        48 4 other processes 35->48 100 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 39->100 signatures13 process14 signatures15 104 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 41->104 50 conhost.exe 41->50         started        52 conhost.exe 44->52         started        54 conhost.exe 46->54         started        56 conhost.exe 48->56         started        58 conhost.exe 48->58         started        60 conhost.exe 48->60         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/40f9c1d0e2e988dbd82d8a37141cf4b03e8cff1f427424ea0966c44cac999b8f/
Threat name:
ByteCode-MSIL.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2021-07-07 15:28:14 UTC
AV detection:
29 of 46 (63.04%)
Threat level:
  5/5
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat evasion infostealer persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/210709-k7mnsp56hn/
Behaviour
Creates scheduled task(s)
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Executes dropped EXE
DCRat Payload
Contains code to disable Windows Defender
DcRat
Modifies WinLogon for persistence
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
b5ba786f4fb00635bd80107b791ceeb5179fbcc713a88e7451c0f8807cb9ee59
MD5 hash:
2a941674030e4f45d7d8e5502b7cc621
SHA1 hash:
d863b1a629e74211c7a53225103cac248cce5583
Link:
https://www.unpac.me/results/71061150-4ead-4d53-aa65-89fdfe5a9b29/
SH256 hash:
d599cc2b0ef488ad5e47c69111b2b727a6ad2016520ce82142a75ca3c13fdf4e
MD5 hash:
ff1326c1f61a00466facdd7ceb1882b8
SHA1 hash:
df3f507425d4f3d1d8df88d4c14703c9f2c441f6
Link:
https://www.unpac.me/results/71061150-4ead-4d53-aa65-89fdfe5a9b29/
SH256 hash:
40f9c1d0e2e988dbd82d8a37141cf4b03e8cff1f427424ea0966c44cac999b8f
MD5 hash:
5e982c02cb02514fbbf943021003ae16
SHA1 hash:
2dab1922caec84d9f3a78023c376368f4fcd8c93
Link:
https://www.unpac.me/results/71061150-4ead-4d53-aa65-89fdfe5a9b29/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/40f9c1d0e2e988dbd82d8a37141cf4b03e8cff1f427424ea0966c44cac999b8f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe 40f9c1d0e2e988dbd82d8a37141cf4b03e8cff1f427424ea0966c44cac999b8f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1438017/
  
URLhaus
https://urlhaus.abuse.ch/url/1438018/
Cape
Cape
https://www.capesandbox.com/analysis/170606/

Comments


Avatar
zbet commented on 2021-07-09 05:27:42 UTC

url : hxxp://141.95.28.201/shell.exe