MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 455cd1baccbf9b3abc59454a6d80ee72c2db5cb6ffb73a5102b5a1e6eb78599e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 455cd1baccbf9b3abc59454a6d80ee72c2db5cb6ffb73a5102b5a1e6eb78599e
SHA3-384 hash: 7445d7ba31bd03e40ec35e4305142b61dc56984449244f93bab57b1ea1d0df713d541b904fae860d46a8e8a1d00e94df
SHA1 hash: a3fd1d6df4d056396e4c6a42035e62f68373ac9b
MD5 hash: 6955454a8fbb5376bdf5369a475b49a3
humanhash: nuts-nine-spaghetti-one
File name:6955454a8fbb5376bdf5369a475b49a3.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:233'472 bytes
First seen:2023-07-11 08:55:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 267ebac2da81baae2c32ae16b7c3027a (4 x RedLineStealer, 2 x Smoke Loader, 2 x DCRat)
ssdeep 3072:IKYADNGazzy0bq8VDRiIxGkQU/SeK+dzl84kUg:N9xvi0bpeIEkQUQQJN
Threatray 1'627 similar samples on MalwareBazaar
TLSH T195347D0272E17CA5F5667A324D2EDBE82F1EFD918F1467DA22187A2F09711E1C672703
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0010b1a0c4686c44 (1 x DCRat)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://965092.clmonth.nyashteam.top/JsProtectDefaulttrafficLocal.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
301
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
6955454a8fbb5376bdf5369a475b49a3.exe
Verdict:
Malicious activity
Analysis date:
2023-07-11 08:56:41 UTC
Tags:
loader smoke trojan
Link:
https://app.any.run/tasks/83a17234-c715-40ab-838d-47de2c954f67

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/415420/
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.18354.16016.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Launching a process
Creating a process from a recently created file
Setting browser functions hooks
Query of malicious DNS domain
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Unauthorized injection to a browser process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/97107/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/64ad19236e9f7019de9f27fd/reports/d5522dc8-9c87-4671-a658-4bb7bce04839/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/455cd1baccbf9b3abc59454a6d80ee72c2db5cb6ffb73a5102b5a1e6eb78599e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/4b1d1185-9753-4ac5-ac32-4bd3cedb579d
Result
Threat name:
DCRat, SmokeLoader, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1270706
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables UAC (registry)
Drops PE files with benign system names
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Searches for specific processes (likely to inject)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected DCRat
Yara detected Generic Downloader
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1270706 Sample: H11rzETDie.exe Startdate: 11/07/2023 Architecture: WINDOWS Score: 100 104 Snort IDS alert for network traffic 2->104 106 Found malware configuration 2->106 108 Malicious sample detected (through community Yara rule) 2->108 110 16 other signatures 2->110 11 H11rzETDie.exe 2->11         started        14 hctacat 2->14         started        16 WmiPrvSE.exe 2->16         started        process3 signatures4 122 Detected unpacking (changes PE section rights) 11->122 124 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 11->124 126 Maps a DLL or memory area into another process 11->126 128 Creates a thread in another existing process (thread injection) 11->128 18 explorer.exe 1 8 11->18 injected 130 Multi AV Scanner detection for dropped file 14->130 132 Machine Learning detection for dropped file 14->132 134 Checks if the current machine is a virtual machine (disk enumeration) 14->134 136 Uses schtasks.exe or at.exe to add and modify task schedules 16->136 23 schtasks.exe 16->23         started        25 schtasks.exe 16->25         started        27 schtasks.exe 16->27         started        29 3 other processes 16->29 process5 dnsIp6 84 transfer.sh 144.76.136.153, 443, 49728, 49734 HETZNER-ASDE Germany 18->84 86 stalagmijesarl.com 194.50.153.31, 49718, 49719, 49720 GAZ-IS-ASRU United Kingdom 18->86 62 C:\Users\user\AppData\Roaming\hctacat, PE32 18->62 dropped 64 C:\Users\user\AppData\Local\Temp\D254.exe, PE32 18->64 dropped 66 C:\Users\user\AppData\Local\Temp\4483.exe, PE32 18->66 dropped 68 C:\Users\user\...\hctacat:Zone.Identifier, ASCII 18->68 dropped 112 System process connects to network (likely due to code injection or exploit) 18->112 114 Benign windows process drops PE files 18->114 116 Injects code into the Windows Explorer (explorer.exe) 18->116 118 3 other signatures 18->118 31 4483.exe 8 18->31         started        35 D254.exe 18 18->35         started        38 explorer.exe 18->38         started        40 8 other processes 18->40 file7 signatures8 process9 dnsIp10 78 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32+ 31->78 dropped 80 C:\Users\user\AppData\Local\Temp\...\7z.dll, PE32+ 31->80 dropped 94 Multi AV Scanner detection for dropped file 31->94 42 cmd.exe 2 31->42         started        88 t.me 149.154.167.99, 443, 49731 TELEGRAMRU United Kingdom 35->88 90 5.75.211.167, 49732, 8081 HETZNER-ASDE Germany 35->90 92 192.168.2.1 unknown unknown 35->92 96 Detected unpacking (changes PE section rights) 35->96 98 Detected unpacking (overwrites its own PE header) 35->98 100 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 35->100 102 4 other signatures 35->102 file11 signatures12 process13 process14 44 Msruntime.exe 42->44         started        47 7z.exe 42->47         started        50 conhost.exe 42->50         started        52 10 other processes 42->52 file15 138 Creates processes via WMI 44->138 140 Drops PE files with benign system names 44->140 54 cmd.exe 44->54         started        82 C:\Users\user\AppData\Local\...\Msruntime.exe, PE32 47->82 dropped signatures16 process17 process18 56 Msruntime.exe 54->56         started        60 conhost.exe 54->60         started        file19 70 C:\Windows\...\fontdrvhost.exe, PE32 56->70 dropped 72 C:\Users\Default\AppData\...\vdkhekdeGR.exe, PE32 56->72 dropped 74 C:\Recovery\explorer.exe, PE32 56->74 dropped 76 5 other malicious files 56->76 dropped 120 Disables UAC (registry) 56->120 signatures20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/455cd1baccbf9b3abc59454a6d80ee72c2db5cb6ffb73a5102b5a1e6eb78599e/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2023-07-11 08:21:29 UTC
File Type:
PE (Exe)
Extracted files:
29
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ivondowmx6ntvpczivfg3ahoolbnwxfw763tuuicwwq6n23ylgpa._file
Verdict:
malicious
Similar samples:
08f5ac47b3775e23096ed6113a609fd46971e2f3ffc9d97c7f28a93fa446987c
DCRat
0baa53972ce2be403f9e5d9d3a7f5d7098858a3acd9e16a315f6e4f5e0b2c902
DCRat
253c30cb71da9048557691a67f05e87c83c103c691b27e17674805eb0aa08aed
DCRat
3d4b51afefb80ed6ef1dea05d417da49acfdf2cab7dabcd25038d77891eb0e17
DCRat
41b4cc711899e88e5a7ddc2977d9f817f230e4186841a0d26bd66f26281562b6
DCRat
4dc27dc6049bc102a6dd9ea4c12cc26a31d53655d702ee69a001d794e8008e2e
DCRat
690bddff9a435074fc889707090969fbc214bd95a0b56453f4572528107bf925
DCRat
dc0af5683ce510948ca084132a0fa0eda830021d744a8b8663800df28551babb
DCRat
f26f96e09abbc77ca03bf7c1b884e455eb68f53c02854410ab5904802c92fed1
DCRat
+ 1'617 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:dcrat family:smokeloader family:vidar botnet:https://t.me/eagl3z botnet:summ backdoor discovery evasion infostealer rat spyware stealer trojan
Link:
https://tria.ge/reports/230711-kv1m3sha9s/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Views/modifies file attributes
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
DCRat payload
DcRat
Process spawned unexpected child process
SmokeLoader
UAC bypass
Vidar
Malware Config
C2 Extraction:
http://stalagmijesarl.com/
http://ukdantist-sarl.com/
http://cpcorprotationltd.com/
https://t.me/eagl3z
https://steamcommunity.com/profiles/76561199159550234
Unpacked files
SH256 hash:
48b6a4785f1dc9f33c51c2e588c7f9edf76e551cff8759ac5622cf995330ff14
MD5 hash:
d9cde58139fef6bf75141230f9662d97
SHA1 hash:
68ac6ee1b78dfa15bfe49229640a0929438029af
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/2b547b1e-dac5-4eba-baf4-128ef1e6b586/
Parent samples :
dfa65f33e16205d8c072ba1fb3d0f419f0af2e25f1c251d2b1ef83dd822dc476
aa4938085915798a5b6a03db3a04f6b2927d108db0bfac32ca66462f6a406c36
e4ff3d138daf42cc71613a0b2b9131e672ab42e3fc8f12779efa2f882985c40c
240e33c28d618ba23fc7489c03dcc40e3e3d2c84ef959db800321d1946d3dbcf
65640ae45f81e5a0367d374193b9a7958e7e2cba9b4f7e448cd2545a70c2880e
b78d66de4f94fd68a2fa5181f8b2a865d43f44fba0efbff7dd3a8215ce153891
b2c3517bb90933390df4eb01c6ba36f2a519a69b5bcee703f4889b8336cb7027
5ecd711693f12b243e84e97975eaf2f981016a7cf004841dceb7b9d720bc1f6d
a6e56a741e9aa67f861b574964a4999eb77ca586abf079c1891ca09c7900c713
2f526d3756e8f59616b5f69c9527d4751594ea82464c971eaadfc04216d0b27a
14a81d39c1a2260f7dde336245ab276a3416319e8bea2740107f8da6b5baecc2
57058dda63d287fb506d12c043fe1eb07abcaacb703fb2f8120edefb815bd1a8
9e4e8a3c08c71e24a113731d9b3c6221c79a0d82e9ab0b510e4240257b4d0eee
954a8d78e97e2bb65568d4c5d692a2a9975a330eaa7fae20e4620d18ccbb5881
bfe83b5436233b54ba7808d535042708313d5ec62aece600d943798f5c62efda
fc5c1ed9df3db079ed9b1714c11b5fd8edd6f69498fe6150303ae160884d3c04
e59ad322f3178a7905a9a3c623e7b5d8132080ddc9d2d3797d64939a23611a00
e93e6d9ed58c2476607f4352c2fb03b5247276f5be99840b0db4d546457f20e5
c862c9ce5cc849f7e292a61984c11b3a61a137f71ce19b3e72b653932602a0fc
8c3f095428d5283ec57391611e24689e88aa93e0a6868d6994d2e26761740ce3
455cd1baccbf9b3abc59454a6d80ee72c2db5cb6ffb73a5102b5a1e6eb78599e
45395f6fad7289cb0f9599ed1f578140d5280f1769957c4bba4fb5f6798a41bf
d347eea452c0cd8f233db473bc2889ef05049a6bffef49184120c9d302fa74e6
cb5834ff88fd8e818ddd26ae5e6a080be8b5e17ee4238df66080175a5cf802eb
2f114f5d0e6063b5c3c3276bdbd20766a102b49dd48dce74d142eefa07c7cda5
eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771
26ee5ecb55714d302e8adcc345fc373abf5eb3189c854922cfca7c3c5c7018fe
ef04fe325737cad04ca603cf3a72a71b86bc51786b696972e243cbd0612538b1
e58ebdf4702cc16c7b5626d7e5a169fda32ecb3df251c9f087c8ad7ad6897672
799c6f0780b063a98ca67e217ac920733e5ed59742300658a747457ef30a3ed8
a5cb5558a1fb53b177fd0a683da3e93c4c0149588c7b06b5b8f5570896bd79bc
5b6d6c1bf6cfc3f0c4b792a2416d52588c22701fc9484c7c0a40bfb75ced4c4e
fc70465d07b9f3eb64e7f5ada2c047cd54b1a10b2790264456c0f76a798b50fc
fd831bc88d1c08c8b8a2e3756569b8fc3c143d516f4a72ec6fbf3c456c6209bb
2cc7483f686c00278ce3dcda694baca322bfbe70e8cf4ec5dd8ec0f31a955625
c17336d7c543eef6427833e8a3f419dd02c7cd2fd7665725732c35e61a354f2c
2c43ca2ea57631cdd00d46b6d292ca82922c239c1ad400a4714134fed8f2a50e
4f2680a213e3345c83f3f0adc9bcf75af76e50eed035b2c54f54b071e115f694
b2f12a3ef735f92b67cf807fb8be7df8400c065318ad3b0f8cd144738db7b96b
SH256 hash:
455cd1baccbf9b3abc59454a6d80ee72c2db5cb6ffb73a5102b5a1e6eb78599e
MD5 hash:
6955454a8fbb5376bdf5369a475b49a3
SHA1 hash:
a3fd1d6df4d056396e4c6a42035e62f68373ac9b
Link:
https://www.unpac.me/results/2b547b1e-dac5-4eba-baf4-128ef1e6b586/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/455cd1baccbf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe 455cd1baccbf9b3abc59454a6d80ee72c2db5cb6ffb73a5102b5a1e6eb78599e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2678578/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/415420/

Comments