MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ad2bc141f8016e37fcc4fa80d574d42d8cbc4244ca913174ae38b7000f3ce09. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ad2bc141f8016e37fcc4fa80d574d42d8cbc4244ca913174ae38b7000f3ce09
SHA3-384 hash: ab74f64c5d4f76fb967eefb30f8f0f76d5e11b8957eb4d6da240156ec9e31a017fdea2389d8580db315422757ce61ee5
SHA1 hash: 17b619c275a698676e350ff492f5992b968317ff
MD5 hash: 094530622888dbbc9f0aa7312af93208
humanhash: harry-alabama-batman-iowa
File name:4AD2BC141F8016E37FCC4FA80D574D42D8CBC4244CA91.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:3'252'736 bytes
First seen:2021-10-01 15:47:57 UTC
Last seen:2021-10-01 17:03:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 49152:x7Wjaeh53qrBzJC0FThhzpGy4AuL8lJiTukK4yopM3Yqjm22T78G:x7N0KvTD498eTu7CMBjmBToG
TLSH T11AE523E89D8BDC2ECDA454347BA3C4F7D0FACE21546288E63417D8C684F1E2B6D53926
File icon (PE):PE icon
dhash icon 58a4a4868eaef2e0 (1 x DCRat)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://83.220.170.182/poolcore/loggame/record/system/prod/cutlocalframe/systemframegameframe/pluginlog/searchersystemanti/limitWarbin/scriptCambootframe/geoApiLinuxflower.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://83.220.170.182/poolcore/loggame/record/system/prod/cutlocalframe/systemframegameframe/pluginlog/searchersystemanti/limitWarbin/scriptCambootframe/geoApiLinuxflower.php https://threatfox.abuse.ch/ioc/229535/

Intelligence

File Origin
# of uploads :
2
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4AD2BC141F8016E37FCC4FA80D574D42D8CBC4244CA91.exe
Verdict:
No threats detected
Analysis date:
2021-10-01 16:07:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2c8d15fd-d587-4537-b98a-4c2f62e558ca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/194025/
Detection(s):
SecuriteInfo.com.Trojan.MulDropNET.32.1870.15328.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
Creating a window
Searching for the window
Creating a file
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/32780c21-0d84-4b36-956e-a8483d3de87e
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
70 / 100
Link:
https://www.joesandbox.com/analysis/862803
Signature
.NET source code contains very large array initializations
Accesses ntoskrnl, likely to find offsets for exploits
Antivirus / Scanner detection for submitted sample
Detected unpacking (overwrites its own PE header)
Drops executable to a common third party application directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Schedule system process
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 495231 Sample: 4AD2BC141F8016E37FCC4FA80D5... Startdate: 01/10/2021 Architecture: WINDOWS Score: 70 101 ipinfo.io 2->101 103 api.telegram.org 2->103 105 231.29.2.0.in-addr.arpa 2->105 111 Antivirus / Scanner detection for submitted sample 2->111 113 Multi AV Scanner detection for dropped file 2->113 115 Multi AV Scanner detection for submitted file 2->115 117 9 other signatures 2->117 12 4AD2BC141F8016E37FCC4FA80D574D42D8CBC4244CA91.exe 6 2->12         started        16 svchost.exe 2->16         started        18 sihost.exe 2->18         started        20 2 other processes 2->20 signatures3 process4 file5 87 4AD2BC141F8016E37F...CBC4244CA91.exe.log, ASCII 12->87 dropped 89 C:\Users\...\processhacker-2.39-setup.exe, PE32 12->89 dropped 91 C:\Users\user\...\Process Hacker 3 bild.exe, PE32 12->91 dropped 131 Detected unpacking (overwrites its own PE header) 12->131 22 Process Hacker 3 bild.exe 3 6 12->22         started        25 processhacker-2.39-setup.exe 2 12->25         started        signatures6 process7 file8 75 C:\...\reviewhostperfCommonfonthostperf.exe, PE32 22->75 dropped 27 wscript.exe 1 22->27         started        77 C:\Users\...\processhacker-2.39-setup.tmp, PE32 25->77 dropped 30 processhacker-2.39-setup.tmp 32 49 25->30         started        process9 dnsIp10 109 192.168.2.1 unknown unknown 27->109 33 cmd.exe 1 27->33         started        93 C:\Program Files\...\peview.exe (copy), PE32+ 30->93 dropped 95 C:\...\kprocesshacker.sys (copy), PE32+ 30->95 dropped 97 C:\Program Files\...\is-OG7F7.tmp, PE32+ 30->97 dropped 99 35 other files (3 malicious) 30->99 dropped 35 ProcessHacker.exe 30->35         started        39 ProcessHacker.exe 30->39         started        file11 process12 dnsIp13 41 reviewhostperfCommonfonthostperf.exe 3 19 33->41         started        45 conhost.exe 33->45         started        107 wj32.org 162.243.25.33, 443, 49795 DIGITALOCEAN-ASNUS United States 35->107 119 Accesses ntoskrnl, likely to find offsets for exploits 35->119 signatures14 process15 file16 79 C:\reviewhostperfCommon\conhost.exe, PE32 41->79 dropped 81 C:\reviewhostperfCommon\audiodg.exe, PE32 41->81 dropped 83 C:\Windows\...\backgroundTaskHost.exe, PE32 41->83 dropped 85 4 other malicious files 41->85 dropped 123 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 41->123 125 Uses schtasks.exe or at.exe to add and modify task schedules 41->125 127 Drops executable to a common third party application directory 41->127 129 Hides that the sample has been downloaded from the Internet (zone.identifier) 41->129 47 cmd.exe 41->47         started        50 schtasks.exe 41->50         started        52 schtasks.exe 41->52         started        54 4 other processes 41->54 signatures17 process18 signatures19 133 Uses ping.exe to sleep 47->133 135 Uses ping.exe to check the status of other devices and networks 47->135 56 audiodg.exe 47->56         started        59 conhost.exe 47->59         started        73 2 other processes 47->73 61 conhost.exe 50->61         started        63 conhost.exe 52->63         started        65 conhost.exe 54->65         started        67 conhost.exe 54->67         started        69 conhost.exe 54->69         started        71 conhost.exe 54->71         started        process20 signatures21 121 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 56->121
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4ad2bc141f8016e37fcc4fa80d574d42d8cbc4244ca913174ae38b7000f3ce09/
Threat name:
ByteCode-MSIL.Trojan.Ursu
Create hunting rule
Status:
Malicious
First seen:
2021-08-17 02:53:35 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jljlyfa7qalog76mj6ua2v2nilmmxrbejsurgf2k4ofxaahtzyeq._file
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat discovery infostealer rat spyware stealer
Link:
https://tria.ge/reports/211001-s8r7vscaf5/
Behaviour
Creates scheduled task(s)
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
DCRat Payload
DcRat
Unpacked files
SH256 hash:
ca6463c7d1c4c1b899a78e56a88a0d3f453eebc37577b1ea3e7dde7d9f4068e2
MD5 hash:
9b893d59b2c021286353e25e9698acb1
SHA1 hash:
a6b0b6d4551e734cc452bd58c91af4ac4304b932
Link:
https://www.unpac.me/results/4162feaf-776a-47d9-83ef-94114b907912/
SH256 hash:
0b999943c720e5c152919a4d2aa8cc63a4d4321319b76214b8f5417bf7cf9348
MD5 hash:
6d11e690fedcfe9d4e6b0c8c8191b276
SHA1 hash:
65691d0ff9b0d0b312fd3477cdd31b312d64b2df
Link:
https://www.unpac.me/results/4162feaf-776a-47d9-83ef-94114b907912/
SH256 hash:
82c160832568258001ad498291a7c3b6f0500bdd1f93153d8ae1b0e3b9033e44
MD5 hash:
1c5beacf795033142fa3ed081ada1b30
SHA1 hash:
2e38208dfd2bf4b52e82359cd5101d08667e5b4c
Link:
https://www.unpac.me/results/4162feaf-776a-47d9-83ef-94114b907912/
SH256 hash:
001287840c39e2b3bf8a08043062a64b05beb85f1c41b349f6122340cc3b6db6
MD5 hash:
6f6ac09341a215e65dba8e5ac1599229
SHA1 hash:
30c993795e3d2447807a5a7bdde7fd09c9edd1fd
Link:
https://www.unpac.me/results/4162feaf-776a-47d9-83ef-94114b907912/
SH256 hash:
f0311411942800df7582e22b3e75e0a41505af665f782f963cdd2e4dba3b4337
MD5 hash:
63f4b05bc302fa6e825d5503a98657a4
SHA1 hash:
689633ddcc21975bd0a5fac0c52e0b2cd764132e
Link:
https://www.unpac.me/results/4162feaf-776a-47d9-83ef-94114b907912/
SH256 hash:
ca416a3daad553f9af74c37268d4616982d7febe9007ec63419b184d59d2502c
MD5 hash:
9d7106b7e4a2936c7d8c58a623f296d8
SHA1 hash:
62df7df4e1d8e1340c4aba1fbacd97d71f81595c
Link:
https://www.unpac.me/results/4162feaf-776a-47d9-83ef-94114b907912/
SH256 hash:
b0acf7fc3922f98baf84ffe0d05d22f3e44bfbdae9e6265233a546b4debff339
MD5 hash:
9e95bc2535b97fd5d7206e441a6a18c8
SHA1 hash:
549d1689c1eabb9cb58115f02da3e43c9a5a44f1
Link:
https://www.unpac.me/results/4162feaf-776a-47d9-83ef-94114b907912/
SH256 hash:
3b22dc38d5271fc1c04212d798b314451ab521a01760efa6d700be39417a71e8
MD5 hash:
71c54bb961a2b5969ad2a9f9d201589c
SHA1 hash:
1b9335e62d409de71f6f39fdc4fac652160d4dbc
Link:
https://www.unpac.me/results/4162feaf-776a-47d9-83ef-94114b907912/
SH256 hash:
913d81b1356c64f8cf08e6c0ca6224d8e204bf6e314cf1056484acec6cad1f32
MD5 hash:
2b2503eaf99efe0efa05a0c84b2293fb
SHA1 hash:
1397a78692bd9c3848c8c1365092191fb3b63b1b
Link:
https://www.unpac.me/results/4162feaf-776a-47d9-83ef-94114b907912/
SH256 hash:
4ad2bc141f8016e37fcc4fa80d574d42d8cbc4244ca913174ae38b7000f3ce09
MD5 hash:
094530622888dbbc9f0aa7312af93208
SHA1 hash:
17b619c275a698676e350ff492f5992b968317ff
Link:
https://www.unpac.me/results/4162feaf-776a-47d9-83ef-94114b907912/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4ad2bc141f8016e37fcc4fa80d574d42d8cbc4244ca913174ae38b7000f3ce09

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/194025/

Comments