MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43261cd34d3e25d42b404924c0ef75abd518be3654025d951a48d35873f5396d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DCRat

Vendor detections: 12

Intelligence 12 IOCs YARA 1 File information Comments

SHA256 hash:	43261cd34d3e25d42b404924c0ef75abd518be3654025d951a48d35873f5396d
SHA3-384 hash:	a6ed0672f0ffe74c0b240563b66a0807b9978661fab1097d5281b1c5b7b03d6e1474c66f47b75c8c402fb94d337aa424
SHA1 hash:	a5e7029cac9c7466393c0ea3afe993e9b97c5195
MD5 hash:	26bf2a48552a3b37cb0432b85916203a
humanhash:	cola-winter-tennessee-asparagus
File name:	file
Download:	download sample
Signature	DCRat Create hunting rule
File size:	1'536'512 bytes
First seen:	2022-11-05 11:01:28 UTC
Last seen:	2022-11-05 14:32:25 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9cad64104356d075a08492c873a04aa6 (2 x RedLineStealer, 1 x ArkeiStealer, 1 x DCRat)
ssdeep	24576:JpuqjQ2XyQYWLf+Eim1msapSTWE2A2pvuHimvkcZt2qICNxOhsuXswaJMPj8QnL:/vXyQYWLf3ms569RcZMqIGxMD8zQtL
Threatray	2'896 similar samples on MalwareBazaar
TLSH	T1D9654B00A8D5D961F1EB6E35495FD7A41F6D2CB32620A6FB13F1B8B611491C12F0B2EB
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	andretavare5
Tags:	DCRat exe

andretavare5

Sample downloaded from https://vk.com/doc760294778_651762811?hash=R0XJvj1QwrM8tq50x86rJHXZaoDZlzLPq0pq2H1E6Rg&dl=G43DAMRZGQ3TOOA:1667645410:8Y07Pk04d5BPW78RJAewBf24tmc4KKnPzK9qePcT61P&api=1&no_preview=1#lan1

Intelligence

File Origin

# of uploads :

# of downloads :

189

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

No threats detected

Analysis date:

2022-11-05 11:03:49 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a4e606b6-a1b9-4504-81c2-fb12226909cd

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/329037/

Result

Verdict:

Malware

Maliciousness:

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/48881/overview

Behaviour

MalwareBazaar

MeasuringTime

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/636642acd998c15a09ab1dcb/reports/7741862f-299b-447f-82f6-eb686f107cfb/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/b30ebe6b-1d92-48d2-94e7-9c91752b59ee

Result

Threat name:

DCRat

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1106103

Signature

.NET source code contains potential unpacker

.NET source code contains very large strings

Allocates memory in foreign processes

Antivirus detection for URL or domain

Contains functionality to inject code into remote processes

Disables UAC (registry)

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected DCRat

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/43261cd34d3e25d42b404924c0ef75abd518be3654025d951a48d35873f5396d/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2022-11-05 11:02:09 UTC

File Type:

PE (Exe)

AV detection:

16 of 26 (61.54%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=imtbzu2nhys5ik2ajesmb33vvpkrrprwkqbf3fi2jdjvq47vhfwq._file

Verdict:

malicious

DCRat

2fe888b1c7062ed3e7f339e0db422059ae41232027c8298d866760a5a2baa40b

DCRat

5f20ea0ed24da122a79ecad42691dbef0a06965025ed04656e1a271c110a1f95

DCRat

67b7f67754ca7d98124c5f9f29a6fb4b5a8d63bffafb8a146280f79323c9e9b1

DCRat

8126b281072f428af30905d7c2fadee86ba76c7a9e8053264b463388cf301b46

DCRat

8743c2679a86984a8f52a512dc5ab76c4bb5077dc71b94219bfd3eee6217da19

DCRat

f8dcc20d73f6aac8a0c189894b66398c76fea9284015c7eb58baf8df65815218

DCRat

+ 2'886 additional samples on MalwareBazaar

Result

Malware family:

dcrat

Score:

10/10

Tags:

family:dcrat evasion infostealer rat spyware trojan

Link:

https://tria.ge/reports/221105-m45dqsfea5/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Uses the VBS compiler for execution

DCRat payload

DcRat

UAC bypass

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/b7c78356-f413-48ea-9326-d89b9a7b7cd4

Unpacked files

SH256 hash:

43261cd34d3e25d42b404924c0ef75abd518be3654025d951a48d35873f5396d

MD5 hash:

26bf2a48552a3b37cb0432b85916203a

SHA1 hash:

a5e7029cac9c7466393c0ea3afe993e9b97c5195

Link:

https://www.unpac.me/results/e13bee66-e399-41bc-92f1-151439651cdd/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/43261cd34d3e25d42b404924c0ef75abd518be3654025d951a48d35873f5396d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/329037/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample