MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 486792753b8bf6ae281a6fdb7783f482f288d6c783c603ebd8e31e6a0f354669. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 486792753b8bf6ae281a6fdb7783f482f288d6c783c603ebd8e31e6a0f354669
SHA3-384 hash: bd0b76bb55358182b8744e96b6af75a6b437d6781ab5f42569d9d29200b42dcd1f4415de1389238c9464ce55ca122dcf
SHA1 hash: 9a5118bc0770b5f624ed2b2628fffac90f06a381
MD5 hash: a9f3b61d6762d6c1146f2319194d3b01
humanhash: cardinal-alpha-single-harry
File name:a9f3b61d6762d6c1146f2319194d3b01
Download: download sample
Signature DCRat
Create hunting rule
File size:5'033'492 bytes
First seen:2021-10-01 01:42:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4328f7206db519cd4e82283211d98e83 (533 x RedLineStealer, 18 x Arechclient2, 15 x DCRat)
ssdeep 98304:AGU6Ozp3jKRo44aOBmTOSy90Ii8mR3KeFy7zLk5:HUJ5mNyiIi8mRDFuza
Threatray 1'035 similar samples on MalwareBazaar
TLSH T1FC364BF17906F2DFC2AE0434F547EA07C52842B24A159701D93978BBC693E5922CEB6F
Reporter zbetcheckin
Tags:32 DCRat exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a9f3b61d6762d6c1146f2319194d3b01
Verdict:
Malicious activity
Analysis date:
2021-10-01 01:44:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e63822a0-b934-4791-bcfd-de7f0ff41df5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/193818/
Detection(s):
SecuriteInfo.com.Dropper.Generic.VZR.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8f7d036b-f64a-4541-bd71-76685aa2b3d4
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/862399
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Creates processes via WMI
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 494827 Sample: dZX0P6jEKH Startdate: 01/10/2021 Architecture: WINDOWS Score: 100 58 Multi AV Scanner detection for domain / URL 2->58 60 Multi AV Scanner detection for dropped file 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 10 other signatures 2->64 9 dZX0P6jEKH.exe 3 11 2->9         started        13 smartscreen.exe 3 2->13         started        15 Memory Compression.exe 14 3 2->15         started        18 2 other processes 2->18 process3 dnsIp4 46 C:\Windows\SysWOW64\...\smartscreen.exe, PE32 9->46 dropped 48 C:\Program Files\...\zwdvhkKwjvnVLiuq.exe, PE32 9->48 dropped 50 C:\PerfLogs\smartscreen.exe, PE32 9->50 dropped 52 C:\Users\user\AppData\...\dZX0P6jEKH.exe.log, ASCII 9->52 dropped 74 Detected unpacking (changes PE section rights) 9->74 76 Query firmware table information (likely to detect VMs) 9->76 78 Creates processes via WMI 9->78 80 Drops PE files with benign system names 9->80 20 dZX0P6jEKH.exe 8 21 9->20         started        82 Multi AV Scanner detection for dropped file 13->82 84 Machine Learning detection for dropped file 13->84 86 Hides threads from debuggers 13->86 88 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->88 54 ip-api.com 208.95.112.1, 49754, 49756, 80 TUT-ASUS United States 18->54 56 92.63.100.160, 80 THEFIRST-ASRU Russian Federation 18->56 file5 signatures6 process7 file8 38 C:\Windows\SysWOW64\secproc\dwm.exe, PE32 20->38 dropped 40 C:\Windows\SysWOW64\hmkd\sihost.exe, PE32 20->40 dropped 42 C:\Windows\SysWOW64\...\RuntimeBroker.exe, PE32 20->42 dropped 44 3 other malicious files 20->44 dropped 66 Query firmware table information (likely to detect VMs) 20->66 68 Hides threads from debuggers 20->68 70 Tries to detect sandboxes / dynamic malware analysis system (registry check) 20->70 24 cmd.exe 1 20->24         started        signatures9 process10 signatures11 72 Drops executables to the windows directory (C:\Windows) and starts them 24->72 27 RuntimeBroker.exe 24->27         started        30 w32tm.exe 24->30         started        32 conhost.exe 24->32         started        34 chcp.com 24->34         started        process12 signatures13 90 Multi AV Scanner detection for dropped file 27->90 92 Detected unpacking (changes PE section rights) 27->92 94 Query firmware table information (likely to detect VMs) 27->94 96 4 other signatures 27->96 36 w32tm.exe 30->36         started        process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/486792753b8bf6ae281a6fdb7783f482f288d6c783c603ebd8e31e6a0f354669/
Threat name:
ByteCode-MSIL.Backdoor.LightStone
Create hunting rule
Status:
Malicious
First seen:
2021-10-01 01:43:09 UTC
AV detection:
16 of 45 (35.56%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
50575798954fd5dff1f376d1597a3d0ff52f51789c5ae98b48957590b540bcce
DCRat
554280d027e0ca9fac59307569a6352f04371cb55b35301b0a9432069ffc82c3
DCRat
6a0d05477e23fc1152067fc51d50a044bccf0e0a0654dbae1864df792400e935
DCRat
89e3b00acfc8b0904398665280312cf9a2b426db3eb77b2e5303131de48a2dde
DCRat
8c373102d98ba3188c4361deee0bd43f89e4e8785b613a7af99bddd45329303d
DCRat
a43aeebdf142d982d97157178d0b190e386b39d532c8782a7767f84f2a88e97b
DCRat
c089f4a7b15f47edfe5c4748b2f34e8962bf115e6980355d67036be35c982eb1
DCRat
c8b1c11bf16a1052dffb6942d955c31cdad7f0b154e1f855882d4d95359efa54
DCRat
f83b0cd39202e7040eae66dac5444eff5f9d878e3bb778613f1525aba2e3c5de
DCRat
+ 1'025 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence themida trojan
Link:
https://tria.ge/reports/211001-b49gxaafgj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks whether UAC is enabled
Checks BIOS information in registry
Loads dropped DLL
Themida packer
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Process spawned unexpected child process
Unpacked files
SH256 hash:
f7d0a36d2f80e3034aa11258925dc93a0e623ed0ea2834e254d211af7aad5ee4
MD5 hash:
5d6030915e38c573ef67c0a03fb59cc1
SHA1 hash:
d144b106e07c4f501999aa3f316a3eeba9f67648
Link:
https://www.unpac.me/results/6bb1a729-e169-476a-9073-d7315368de04/
Parent samples :
e0fa9c62364826149547d32728d06d155bdc6a54e90554695f8039bd7b73d036
54de552295e919218a7d43a1d0114bae169a79a1963113d615fd8bce428b385d
2774262a54ea6008d5b508f4d95eb811bd5d7dc50e1c0659d016ab33d966e729
aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9
26547389ff741eeba887fe39ec5f253d6597c03d1ffaf65c007ae5c40d897d5a
SH256 hash:
5e19c4b3486ed7902779d92c105f129d7dd36f642841cc6bde3c6213a0ddabea
MD5 hash:
fd56d047d6ad68623b46f78459fa2f5b
SHA1 hash:
cd4abb9c2ab8cf5777875d4958215ab71b3c1708
Link:
https://www.unpac.me/results/6bb1a729-e169-476a-9073-d7315368de04/
SH256 hash:
019a3aba394150a274cb64ae640dad561131bae5dfbcf7cc007d7c917a875502
MD5 hash:
2287e830cef91b395df7fc82c9d2a977
SHA1 hash:
a7ae0e1ffa9d1fadfc236d78a6d7d809e25ce253
Link:
https://www.unpac.me/results/6bb1a729-e169-476a-9073-d7315368de04/
Parent samples :
54de552295e919218a7d43a1d0114bae169a79a1963113d615fd8bce428b385d
2774262a54ea6008d5b508f4d95eb811bd5d7dc50e1c0659d016ab33d966e729
SH256 hash:
27f267700f851f19787cf23a72edcb0905c031589354d08c57a4ab03653ec20e
MD5 hash:
ee1a0abafd1d2220f312c19c58684c9a
SHA1 hash:
5e474ae55c319fe60e1e43da5b15cb28aadbf70b
Link:
https://www.unpac.me/results/6bb1a729-e169-476a-9073-d7315368de04/
Parent samples :
e0fa9c62364826149547d32728d06d155bdc6a54e90554695f8039bd7b73d036
26547389ff741eeba887fe39ec5f253d6597c03d1ffaf65c007ae5c40d897d5a
SH256 hash:
66e4732f64f15bd8d5c13dcba1bd533d12d759b41254ba0ed8d8b8ec2cc33135
MD5 hash:
d97b75d4f73f1ac378780cb64daa8d66
SHA1 hash:
5c430c9c63c1352af6f1b8b3f5270c9e3d53426b
Link:
https://www.unpac.me/results/6bb1a729-e169-476a-9073-d7315368de04/
SH256 hash:
7e7d277ee439aa3ac20595df84d788993352bef00826b1c1fb6ffe67c30165be
MD5 hash:
b4cb71460e8d1e0202ff9488c6f7c0a3
SHA1 hash:
56c270b475895762ad013cc27fa9d7426c61e410
Link:
https://www.unpac.me/results/6bb1a729-e169-476a-9073-d7315368de04/
SH256 hash:
dcb842f5e0da9d486cad34d4b809dcaadf9ec4d6991fdb22bdc9aea66489ad1a
MD5 hash:
c02a029c978f13b753c6b578b1588c75
SHA1 hash:
e125d59451e7f467bfd329a00a506decbcd91d83
Link:
https://www.unpac.me/results/6bb1a729-e169-476a-9073-d7315368de04/
SH256 hash:
b029fb11697f8f92512855affcfbc8d22826a026e1125a6ffb5e5d291d2c9830
MD5 hash:
d819da1f94363d160bac29f4995f3b33
SHA1 hash:
580ae79e64e37bb27ad4e81be41958fc988d1666
Link:
https://www.unpac.me/results/6bb1a729-e169-476a-9073-d7315368de04/
SH256 hash:
486792753b8bf6ae281a6fdb7783f482f288d6c783c603ebd8e31e6a0f354669
MD5 hash:
a9f3b61d6762d6c1146f2319194d3b01
SHA1 hash:
9a5118bc0770b5f624ed2b2628fffac90f06a381
Link:
https://www.unpac.me/results/6bb1a729-e169-476a-9073-d7315368de04/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/486792753b8bf6ae281a6fdb7783f482f288d6c783c603ebd8e31e6a0f354669

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe 486792753b8bf6ae281a6fdb7783f482f288d6c783c603ebd8e31e6a0f354669

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1649905/
Cape
Cape
https://www.capesandbox.com/analysis/193818/

Comments


Avatar
zbet commented on 2021-10-01 01:42:55 UTC

url : hxxp://92.63.100.160/Driver.exe