MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41d9459adfc2174e254616e62e78811abee49d1114f044df8ef04eab28ed0514. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 41d9459adfc2174e254616e62e78811abee49d1114f044df8ef04eab28ed0514
SHA3-384 hash: c532e9eb0ba79b4c7e4865953b6886538a8afbfa055755735fe9520705bebd752e3971dd7d84e2069c2d54875f1133fb
SHA1 hash: a24bc2b4b7014e5fc8c80818252b06e648152548
MD5 hash: 9096814c6408aa93466c364a30e54f97
humanhash: alaska-hot-oven-freddie
File name:41d9459adfc2174e254616e62e78811abee49d1114f04.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:6'690'970 bytes
First seen:2022-03-16 22:16:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep 196608:RwxWAsDZ2of3thGxVMCp8wBCu5Anrm4RROh4:RwMfFQgC/BX5urm46i
TLSH T1326633FF5194CBA6C9C26276DE7BB5C58259E02C0415CB36C758AB45BEFCA70DE0C224
File icon (PE):PE icon
dhash icon c4dadadad2f492c2 (25 x GuLoader, 14 x RemcosRAT, 7 x AgentTesla)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://192.95.55.233/sqlflowerLongpoll/ExternalPhpRequestuniversalWordpress.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://192.95.55.233/sqlflowerLongpoll/ExternalPhpRequestuniversalWordpress.php https://threatfox.abuse.ch/ioc/395874/

Intelligence

File Origin
# of uploads :
1
# of downloads :
261
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
41d9459adfc2174e254616e62e78811abee49d1114f04.exe
Verdict:
Malicious activity
Analysis date:
2022-03-16 23:16:37 UTC
Tags:
trojan loader rat backdoor dcrat evasion stealer
Link:
https://app.any.run/tasks/1666408d-414b-47c5-9175-49626ff45c5c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/251663/
Detection(s):
SecuriteInfo.com.Zum.Androm.1.1011.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a file
Сreating synchronization primitives
Searching for the window
Searching for synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Sending a custom TCP request
DNS request
Setting a single autorun event
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/9497/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/623261e7b94fb38cb4925f3d/reports/d6c43fd7-29c8-4791-aa9c-f0ed991989ba/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a652a08a-85cc-465f-a0d2-73f8ea607a59
Result
Threat name:
TVrat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/958381
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contain functionality to detect virtual machines
Contains functionality to detect virtual machines (IN, VMware)
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect virtualization through RDTSC time measurements
Yara detected TVrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 590862 Sample: 41d9459adfc2174e254616e62e7... Startdate: 16/03/2022 Architecture: WINDOWS Score: 100 44 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->44 46 Multi AV Scanner detection for domain / URL 2->46 48 Antivirus detection for URL or domain 2->48 50 4 other signatures 2->50 7 41d9459adfc2174e254616e62e78811abee49d1114f04.exe 51 2->7         started        10 ast.exe 4 2->10         started        12 ast.exe 4 2->12         started        process3 file4 22 C:\Users\user\AppData\Local\...\quartz.dll, PE32 7->22 dropped 24 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 7->24 dropped 26 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 7->26 dropped 28 16 other files (none is malicious) 7->28 dropped 14 cmd.exe 1 7->14         started        process5 process6 16 ast.exe 27 10 14->16         started        20 conhost.exe 14->20         started        dnsIp7 30 id.xn--80akicokc0aablc.xn--p1ai 212.193.169.74, 443, 44335, 49807 SAFIB-ASRU Russian Federation 16->30 32 mirtonewbacker.com 188.114.96.7, 49912, 80 CLOUDFLARENETUS European Union 16->32 34 4 other IPs or domains 16->34 36 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->36 38 Contains functionality to detect virtual machines (IN, VMware) 16->38 40 Contain functionality to detect virtual machines 16->40 42 3 other signatures 16->42 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/41d9459adfc2174e254616e62e78811abee49d1114f044df8ef04eab28ed0514/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-03-13 02:21:40 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
19 of 27 (70.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ihmulgw7yilu4jkgc3tc46ebdk7ojhirctyejx4o6bhkwkhnauka._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/220316-17c1jshae2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244
MD5 hash:
b9380b0bea8854fd9f93cc1fda0dfeac
SHA1 hash:
edb8d58074e098f7b5f0d158abedc7fc53638618
Link:
https://www.unpac.me/results/d28ff66b-20e2-478a-833c-fe60aaf8e5df/
SH256 hash:
98f425f30e42e85f57e039356e30d929e878fdb551e67abfb9f71c31eeb5d44e
MD5 hash:
d7778720208a94e2049972fb7a1e0637
SHA1 hash:
080d607b10f93c839ec3f07faec3548bb78ac4dc
Link:
https://www.unpac.me/results/d28ff66b-20e2-478a-833c-fe60aaf8e5df/
SH256 hash:
269d232712c86983336badb40b9e55e80052d8389ed095ebf9214964d43b6bb1
MD5 hash:
34442e1e0c2870341df55e1b7b3cccdc
SHA1 hash:
99b2fa21aead4b6ccd8ff2f6d3d3453a51d9c70c
Link:
https://www.unpac.me/results/d28ff66b-20e2-478a-833c-fe60aaf8e5df/
SH256 hash:
b7b819dcf3aaed2774cecfa507f9baee47660b18758f7cb718bb5cb2d77947fa
MD5 hash:
5fc727c579f3c3b69ce0eb7f2ec7d48a
SHA1 hash:
4686ade71a45feb36f5f5f48e78bd673f60e45b5
Link:
https://www.unpac.me/results/d28ff66b-20e2-478a-833c-fe60aaf8e5df/
SH256 hash:
e664756ea6bfb01787ee6dfe299f1e1cc52b0453759771124c9359cb3cf79cb4
MD5 hash:
602d953c391a05d2be162a661962c598
SHA1 hash:
794b83002517dca3a017337946d39df55646e3e0
Link:
https://www.unpac.me/results/d28ff66b-20e2-478a-833c-fe60aaf8e5df/
SH256 hash:
89d3793747f6eeebaa4e977609ec3be4fc833e24b151455f659868c2f074658d
MD5 hash:
e441424c3cd51313763d1e71a5f29768
SHA1 hash:
fe2324ed71f349328ab6d870e94c3dc9306d9fa4
Link:
https://www.unpac.me/results/d28ff66b-20e2-478a-833c-fe60aaf8e5df/
SH256 hash:
ee5d27ee03b9d835f03ffaaa89c65c334b06656db3a00c2769acf184354a5f32
MD5 hash:
3a30d2362df84a6fa93738b42a5db0ff
SHA1 hash:
e617261f4df0f2977b2093ff044a2650ab4494c7
Link:
https://www.unpac.me/results/d28ff66b-20e2-478a-833c-fe60aaf8e5df/
SH256 hash:
f9e82777a636574ea6fdead2f9fcaced61e87eb077d16e9d6266013e6efce811
MD5 hash:
e5d2a2f9e511eb2659bfbe1fb06fffa3
SHA1 hash:
d1c91c561a68078141fb487575c7f01e0fd1d602
Link:
https://www.unpac.me/results/d28ff66b-20e2-478a-833c-fe60aaf8e5df/
SH256 hash:
ac81e22a19318d3d54fa26d47d87b644a2da80dbc6aceb455d863e9aabcf3280
MD5 hash:
3aa8791b71cd20c150664c03707e6f7f
SHA1 hash:
b764304162e24c12b603c74a5583b80c4544784a
Link:
https://www.unpac.me/results/d28ff66b-20e2-478a-833c-fe60aaf8e5df/
SH256 hash:
d43e6e5e7fe56e358422e5f665612d073625a136c380f80e6122953635e80190
MD5 hash:
bb90e6919b8a4855ae656ccb38ba7182
SHA1 hash:
572d09fc3bb60f11bfd8790be267f5026bc7a8d1
Link:
https://www.unpac.me/results/d28ff66b-20e2-478a-833c-fe60aaf8e5df/
SH256 hash:
cccc635f88d506eb25d418b9a7211372674c81900cb3625a823a4d4e0e37e626
MD5 hash:
ec721ee678dd75aa66a4867a5069b887
SHA1 hash:
560b1896e3f4e92c20798192172c079240bb0ac4
Link:
https://www.unpac.me/results/d28ff66b-20e2-478a-833c-fe60aaf8e5df/
SH256 hash:
f46d38a4f4ba457214725fbf719c8cd3bd7184786ccaa81137d34d44ec099049
MD5 hash:
1a6e6c52681caa136f48b6457ae325c3
SHA1 hash:
503717eddbd26011360187f5877ad43731f0cfa4
Detections:
win_rektloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/d28ff66b-20e2-478a-833c-fe60aaf8e5df/
SH256 hash:
7863dfbab8102f588d4e0517390290de226cf13f44b5d881b0c3a314bc22ccd1
MD5 hash:
5941c45f92f626d4d96476d461e3b366
SHA1 hash:
43f3dcdbec5f6a132ae32cf8298d7174b2f87c6d
Link:
https://www.unpac.me/results/d28ff66b-20e2-478a-833c-fe60aaf8e5df/
SH256 hash:
8af2f0205c0e76875b0e191083031545d6e405a25a592f028ee49264ee6fe204
MD5 hash:
099d407bd9d476758bf96ad5c680c8ce
SHA1 hash:
5c868962516b58fd78a108e60f1b0f9d8137e698
Link:
https://www.unpac.me/results/d28ff66b-20e2-478a-833c-fe60aaf8e5df/
SH256 hash:
ce7fa72b5b469c48fe1dc53548337b1c0e0f3532e72631412a6b70f65430b2a3
MD5 hash:
4b130bea1bbfd82592cea1e0ed72a2b3
SHA1 hash:
c9482a481cbac64e4c27380c7c8d6f9544429ed6
Link:
https://www.unpac.me/results/d28ff66b-20e2-478a-833c-fe60aaf8e5df/
SH256 hash:
41d9459adfc2174e254616e62e78811abee49d1114f044df8ef04eab28ed0514
MD5 hash:
9096814c6408aa93466c364a30e54f97
SHA1 hash:
a24bc2b4b7014e5fc8c80818252b06e648152548
Link:
https://www.unpac.me/results/d28ff66b-20e2-478a-833c-fe60aaf8e5df/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/41d9459adfc2174e254616e62e78811abee49d1114f044df8ef04eab28ed0514

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/251663/

Comments