MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 480f4a5849d419021dfa30782d4242f59415e83aca301abb1e2784f8eff882cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 480f4a5849d419021dfa30782d4242f59415e83aca301abb1e2784f8eff882cf
SHA3-384 hash: 396bea9bc406fea15ca9522f22b62092c65ab12922be2035b3266d4257d17e6457b9af42c482d92de5af220fc5f9347f
SHA1 hash: dea55ab65d2dd759039ea069fc1f7fe055a96da9
MD5 hash: 3431f70e334efd4bc2d2620f26ea1dcc
humanhash: stairway-lemon-arizona-carbon
File name:3431F70E334EFD4BC2D2620F26EA1DCC.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:2'985'672 bytes
First seen:2024-07-16 16:00:20 UTC
Last seen:2024-07-24 13:49:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f6baa5eaa8231d4fe8e922a2e6d240ea (37 x CoinMiner, 22 x DCRat, 15 x LummaStealer)
ssdeep 49152:nW5kvdZUT2I5PF2ZLrltjGYWzIC+y+fAvp2cOeIKiuzqN7aiRycn8h3VJqFBhcBG:nW5cb0PBF2Fr3y+0wHbJCY0cAF8FiK
Threatray 521 similar samples on MalwareBazaar
TLSH T1B0D533F277E0A4B9F11815F1A99077301BFAF6284F2485C3C374284A8C556DAB979ECE
TrID 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.6% (.EXE) Win64 Executable (generic) (10523/12/4)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 6192a6a6a6a6c401 (17 x RedLineStealer, 11 x PythonStealer, 9 x DCRat)
Reporter abuse_ch
Tags:DCRat exe signed

Code Signing Certificate

Organisation:STATPLUS LE
Issuer:STATPLUS LE
Algorithm:sha256WithRSAEncryption
Valid from:2024-07-09T00:00:00Z
Valid to:2026-07-09T00:00:00Z
Serial number: 7049503caa85048f
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: f50fab63239cff0026021904c833dbda89d3e6ecf876eed29e206851997437ae
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
DCRat C2:
http://217.28.222.194/linuxProcessGeoimage/5/Vm5/2trafficTempApi/9Php/httpapiBaseWindowsDatalifeDleLocalpublictempcentral.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://217.28.222.194/linuxProcessGeoimage/5/Vm5/2trafficTempApi/9Php/httpapiBaseWindowsDatalifeDleLocalpublictempcentral.php https://threatfox.abuse.ch/ioc/1301637/

Intelligence

File Origin
# of uploads :
2
# of downloads :
466
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Win.Keylogger.Gencbl-9969771-0
Create hunting rule

Win.Malware.7zip-10013374-0
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6696993f2c29bed579a48062win7simulatehigh_evasion
Tags:
Banker Encryption Execution Generic Network Other Static Stealth Malware Dexter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Moving a file to the %temp% subdirectory
Creating a process from a recently created file
Replacing files
Creating a file
Loading a suspicious library
Creating a file in the Program Files subdirectories
Creating a file in the Windows subdirectories
Using the Windows Management Instrumentation requests
Connection attempt
Sending an HTTP POST request
Searching for synchronization primitives
Unauthorized injection to a recently created process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
epmicrosoft_visual_cc fingerprint installer keylogger keylogger lolbin microsoft_visual_cc overlay packed redcap shell32 stealer
Link:
https://www.filescan.io/uploads/6696993f4cee8c9113b6dec5/reports/424879c7-2bba-470d-8894-62150b0d9914/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/480f4a5849d419021dfa30782d4242f59415e83aca301abb1e2784f8eff882cf
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d54d4d41-cb39-4d44-bbfb-56a10a6c6c45
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1474311
Signature
AI detected suspicious sample
Antivirus detection for dropped file
Contains functionality to register a low level keyboard hook
Drops password protected ZIP file
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1474311 Sample: u841TF5Qex.exe Startdate: 16/07/2024 Architecture: WINDOWS Score: 100 79 Snort IDS alert for network traffic 2->79 81 Antivirus detection for dropped file 2->81 83 Multi AV Scanner detection for dropped file 2->83 85 9 other signatures 2->85 11 u841TF5Qex.exe 8 2->11         started        process3 file4 69 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32+ 11->69 dropped 71 C:\Users\user\AppData\Local\Temp\...\7z.dll, PE32+ 11->71 dropped 91 Contains functionality to register a low level keyboard hook 11->91 15 cmd.exe 2 11->15         started        signatures5 process6 signatures7 95 Uses ping.exe to sleep 15->95 97 Uses ping.exe to check the status of other devices and networks 15->97 18 Installer.exe 4 24 15->18         started        22 7z.exe 2 15->22         started        24 7z.exe 3 15->24         started        26 9 other processes 15->26 process8 file9 59 C:\Windows\Speech\...\tMrdRLQQDTfd.exe, PE32 18->59 dropped 61 C:\Windows\ShellComponents\Installer.exe, PE32 18->61 dropped 63 C:\Users\user\Desktop\sjyQBTYJ.log, PE32 18->63 dropped 67 11 other malicious files 18->67 dropped 87 Found many strings related to Crypto-Wallets (likely being stolen) 18->87 28 cmd.exe 1 18->28         started        65 C:\Users\user\AppData\Local\...\Installer.exe, PE32 22->65 dropped signatures10 process11 signatures12 93 Uses ping.exe to sleep 28->93 31 tMrdRLQQDTfd.exe 14 586 28->31         started        36 conhost.exe 28->36         started        38 PING.EXE 1 28->38         started        40 chcp.com 1 28->40         started        process13 dnsIp14 73 217.28.222.194, 49734, 49736, 49738 TELENET-JSC-ASRU Russian Federation 31->73 51 C:\Users\user\Desktop\zVKPqiNW.log, PE32 31->51 dropped 53 C:\Users\user\Desktop\phgZGWTo.log, PE32 31->53 dropped 55 C:\Users\user\Desktop\gEXkWdDG.log, PE32 31->55 dropped 57 5 other malicious files 31->57 dropped 75 Found many strings related to Crypto-Wallets (likely being stolen) 31->75 77 Tries to harvest and steal browser information (history, passwords, etc) 31->77 42 cmd.exe 31->42         started        file15 signatures16 process17 signatures18 89 Uses ping.exe to sleep 42->89 45 conhost.exe 42->45         started        47 chcp.com 42->47         started        49 PING.EXE 42->49         started        process19
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/480f4a5849d419021dfa30782d4242f59415e83aca301abb1e2784f8eff882cf
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/480f4a5849d419021dfa30782d4242f59415e83aca301abb1e2784f8eff882cf/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-07-12 00:10:24 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
19 of 38 (50.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jahuuwcj2qmqehp2gb4c2qsc6wkbl2b2ziybvoy6e6cpr37yqlhq._file
Verdict:
unknown
Similar samples:
39519bc3329a0dbada982a973dec770825a3455653c8b7cbf09ffa83e1d40e7b
DCRat
6195a3c9648da3f992dc8c3b0b96a0169916c5db5d9ee78983a693d8f37d135c
DCRat
8257b6d9db2a0054895b3afaf01e40a3dfb56bdf7195865097201cc6c1e38edf
DCRat
84f515bfed1a8fa9f055a9f3bddb3851618ce0b0b940a5d548aadc24c19362bb
DCRat
8aa65358ef1e12582637acfac6035208e5d62fc9d39e715194d26c81502f0e2d
DCRat
aa89562efabab44187a1813c2ad73254d12e6ef92ede28d0a6054ee1ea09a175
DCRat
c89400e70500cd0faad8ea9d0c8d3cc2fc58408c1123dd3fbcd02e80d4bbed65
DCRat
f53626ef5370de09cfbc55c497ff9058066f3c5a18d9caead5ee4c594e2fb57a
DCRat
+ 511 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/240716-tf7mhszfkj/
Behaviour
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c80bd97a-70ca-431f-8163-a1a159b42175
Unpacked files
SH256 hash:
4e59fcdead80384d1844c2a3262956648c532d54579e6625c3de3e377fd2f4b5
MD5 hash:
97698893d90edb0639382c5d6089274d
SHA1 hash:
5068a7100a96d816795135cb82f15dce9ef097de
Link:
https://www.unpac.me/results/1f6c0095-df19-437d-9d4c-726ef292d29d/
SH256 hash:
480f4a5849d419021dfa30782d4242f59415e83aca301abb1e2784f8eff882cf
MD5 hash:
3431f70e334efd4bc2d2620f26ea1dcc
SHA1 hash:
dea55ab65d2dd759039ea069fc1f7fe055a96da9
Link:
https://www.unpac.me/results/1f6c0095-df19-437d-9d4c-726ef292d29d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/480f4a5849d419021dfa30782d4242f59415e83aca301abb1e2784f8eff882cf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::FreeSid
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::CheckTokenMembership
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::ShellExecuteExW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetDiskFreeSpaceExW
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AssignProcessToJobObject
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetSystemDirectoryW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::FindFirstFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExA
USER32.dll::CreateWindowExW

Comments