MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a2bd74b2dc8b31da8d46035c9a77ee1eb20dabaf2affa04230849bcdb5e3bbf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a2bd74b2dc8b31da8d46035c9a77ee1eb20dabaf2affa04230849bcdb5e3bbf
SHA3-384 hash: 3579ca0eee165600c94fcc5295f529181fd89f797a0cb80f6b99b97e2135cf6c8e782fa28c075b8cf45680db2bc06a3e
SHA1 hash: 544712847e3343ce1423f1ea1bb03023bc80312e
MD5 hash: a100cd626553653384f7e6cd2484ab36
humanhash: queen-table-arizona-three
File name:a100cd626553653384f7e6cd2484ab36.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:504'832 bytes
First seen:2021-08-17 06:56:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:hqnOTB8B+CmV820ZDBAoSTM7eBUJi/+L6/o1:h+OTB8B+PADBEQ/JiG+/U
Threatray 52 similar samples on MalwareBazaar
TLSH T16CB48B8637E8AA11F2BF4775E0F55D6E4B71B412A6B2EF4F09C652D92813740EC00BA7
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://45.144.29.24:1234/GameAsyncgenerator.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.144.29.24:1234/GameAsyncgenerator.php https://threatfox.abuse.ch/ioc/191022/

Intelligence

File Origin
# of uploads :
1
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a100cd626553653384f7e6cd2484ab36.exe
Verdict:
Malicious activity
Analysis date:
2021-08-17 07:01:20 UTC
Tags:
stealer trojan rat backdoor dcrat
Link:
https://app.any.run/tasks/5ce50a28-86da-4a0d-b5d2-ba979b195561

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Dcrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/179863/
Detection(s):
Win.Packed.Uztuby-9853721-0
Create hunting rule

Win.Packed.Uztuby-9864800-0
Create hunting rule

Win.Packed.Uztuby-9869253-0
Create hunting rule

Win.Packed.Uztuby-9873584-0
Create hunting rule

Win.Packed.Basic-9876200-0
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.AsyncRAT.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
Creating a file
Sending a UDP request
Creating a file in the Windows subdirectories
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Connection attempt
Sending an HTTP GET request
Creating a window
Reading critical registry keys
Creating a file in the system32 subdirectories
Using the Windows Management Instrumentation requests
Launching a process
Creating a file in the %temp% directory
Deleting a recently created file
Running batch commands
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Setting a global event handler for the keyboard
Stealing user critical data
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/51826954-cc18-400c-9c48-ced4058715a4
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/834127
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Creates an autostart registry key pointing to binary in C:\Windows
Creates multiple autostart registry keys
Creates processes via WMI
Detected unpacking (overwrites its own PE header)
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: System File Execution Location Anomaly
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 466558 Sample: LXFAi2sHib.exe Startdate: 17/08/2021 Architecture: WINDOWS Score: 100 53 Multi AV Scanner detection for dropped file 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 Yara detected DCRat 2->57 59 7 other signatures 2->59 7 LXFAi2sHib.exe 8 23 2->7         started        11 winlogon.exe 15 20 2->11         started        14 RuntimeBroker.exe 3 2->14         started        16 6 other processes 2->16 process3 dnsIp4 39 C:\Windows\System32\icsvc\RuntimeBroker.exe, PE32 7->39 dropped 41 C:\Windows\System32\cscobj\dwm.exe, PE32 7->41 dropped 43 C:\Windows\Setup\State\WmiPrvSE.exe, PE32 7->43 dropped 47 8 other malicious files 7->47 dropped 63 Detected unpacking (overwrites its own PE header) 7->63 65 Creates multiple autostart registry keys 7->65 67 Creates an autostart registry key pointing to binary in C:\Windows 7->67 79 3 other signatures 7->79 18 cmd.exe 1 7->18         started        49 45.144.29.24, 1234, 49710, 49713 HQservCommunicationSolutionsIL United Kingdom 11->49 51 192.168.2.1 unknown unknown 11->51 45 C:\Users\user\AppData\...\gJbzqOkUDO.bat, DOS 11->45 dropped 69 Multi AV Scanner detection for dropped file 11->69 71 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->71 73 Machine Learning detection for dropped file 11->73 21 cmd.exe 11->21         started        75 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 14->75 77 Tries to harvest and steal browser information (history, passwords, etc) 16->77 file5 signatures6 process7 signatures8 61 Drops executables to the windows directory (C:\Windows) and starts them 18->61 23 w32tm.exe 1 18->23         started        25 conhost.exe 18->25         started        27 chcp.com 1 18->27         started        29 WmiPrvSE.exe 18->29         started        31 conhost.exe 21->31         started        33 chcp.com 21->33         started        35 w32tm.exe 21->35         started        37 winlogon.exe 21->37         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4a2bd74b2dc8b31da8d46035c9a77ee1eb20dabaf2affa04230849bcdb5e3bbf/
Threat name:
ByteCode-MSIL.Backdoor.LightStone
Create hunting rule
Status:
Malicious
First seen:
2021-08-14 15:03:15 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jiv5osznzczr3kguma24tj364hvsbwv26kx7ubbdbbe3zw26ho7q._file
Verdict:
unknown
Similar samples:
36d1497c536921f332a26558c9eff42f6502bf5ffec6710f4b50e35f98e627aa
DCRat
4e591ca9530450eca3c227d9292c3496d54d022c83d8b9c5372d91b97fed3203
DCRat
6a0d05477e23fc1152067fc51d50a044bccf0e0a0654dbae1864df792400e935
DCRat
9550c84ed4f760fd806bca85f64f00f877d676eeae5a1982c4bf815dd7d29ee5
DCRat
aaa3cda8d3f4bc7ff94a3e4f0fd37aced9d484b663bc15f198e6e25482f60443
DCRat
b8c94207197749e607ab88f5ca8c7b3f8a7802fef556462607905fd3300157ec
DCRat
bdeb14ad6ce1ac8539d4b937c593ae706826fd3732ad506de5189521eea43643
DCRat
+ 42 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer persistence rat spyware stealer
Link:
https://tria.ge/reports/210817-tnfetzksrx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Reads user/profile data of web browsers
Executes dropped EXE
DCRat Payload
DcRat
Process spawned unexpected child process
Unpacked files
SH256 hash:
96d476529214b19ca102a50a0990405399cbbe88f3337fc3744e565a0a1b78c7
MD5 hash:
f5afb16278725d19e3f23af0e8ec73a1
SHA1 hash:
6e34548a814ee04e02623a29a5839f3dca5b3ee6
Link:
https://www.unpac.me/results/795424cb-77a5-4ce9-a5a7-17dd4327ba84/
SH256 hash:
4a2bd74b2dc8b31da8d46035c9a77ee1eb20dabaf2affa04230849bcdb5e3bbf
MD5 hash:
a100cd626553653384f7e6cd2484ab36
SHA1 hash:
544712847e3343ce1423f1ea1bb03023bc80312e
Link:
https://www.unpac.me/results/795424cb-77a5-4ce9-a5a7-17dd4327ba84/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4a2bd74b2dc8b31da8d46035c9a77ee1eb20dabaf2affa04230849bcdb5e3bbf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:MALWARE_Win_AsyncRAT
Create hunting rule
Author:ditekSHen
Description:Detects AsyncRAT
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/179863/

Comments