MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b356bb2813fcbcab1930a5e3687d600e54e4c0e603e17acd630e70ba27d960e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4b356bb2813fcbcab1930a5e3687d600e54e4c0e603e17acd630e70ba27d960e
SHA3-384 hash: 3014b483bce5c276c986cb92a2d53be7c41a6602979cd639435813717b6509a19443aa9a63fb00c856c0a7177cdee857
SHA1 hash: 6030e17bb7874925075d0361474097bbd6d77b2a
MD5 hash: a2bf89d684e1f4ed51473eac41387e17
humanhash: blue-bakerloo-aspen-fourteen
File name:a2bf89d684e1f4ed51473eac41387e17.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:760'432 bytes
First seen:2021-09-14 06:01:44 UTC
Last seen:2021-09-14 07:02:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:KYqFWsmGqrq4EECwqm5x5KO/z4OIjC/Pc53oTV21ka9GTtHQiY6lzh:KYAzmG6J7fxtbHIjsPqW21zE9QiYq1
Threatray 165 similar samples on MalwareBazaar
TLSH T12BF4121036A49F21E6BECBF509B144904731BAF37A35CABE4DC202DC6972F815956F2B
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://45.129.96.25/uuid/EternalcpuupdateApiwindows.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.129.96.25/uuid/EternalcpuupdateApiwindows.php https://threatfox.abuse.ch/ioc/221596/

Intelligence

File Origin
# of uploads :
2
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://cracknet.net
Verdict:
Malicious activity
Analysis date:
2021-09-12 15:42:51 UTC
Tags:
evasion trojan rat azorult stealer raccoon loader fareit pony redline vidar
Link:
https://app.any.run/tasks/8922720b-da9e-4d64-9feb-da971829a8d2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Dcrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/187644/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37573868.12454.616.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/617509c4db358dd15ed9206b/reports/3267ae64-f678-4269-a46b-a1d7280b2120/overview
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8b950fca-e364-415c-8646-9fd40dc79b1c
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/850397
Signature
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: System File Execution Location Anomaly
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 482826 Sample: CCAmMQAxfM.exe Startdate: 14/09/2021 Architecture: WINDOWS Score: 100 70 Multi AV Scanner detection for dropped file 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 Yara detected DCRat 2->74 76 2 other signatures 2->76 9 CCAmMQAxfM.exe 2->9         started        12 RuntimeBroker.exe 2->12         started        14 RuntimeBroker.exe 2->14         started        16 2 other processes 2->16 process3 signatures4 78 Creates processes via WMI 9->78 80 Drops PE files with benign system names 9->80 82 Injects a PE file into a foreign processes 9->82 18 CCAmMQAxfM.exe 9 24 9->18         started        21 WerFault.exe 23 9 9->21         started        24 WerFault.exe 9->24         started        26 CCAmMQAxfM.exe 9->26         started        84 Multi AV Scanner detection for dropped file 12->84 86 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->86 88 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 12->88 28 RuntimeBroker.exe 16 15 12->28         started        31 WerFault.exe 12->31         started        90 Drops executables to the windows directory (C:\Windows) and starts them 14->90 37 2 other processes 14->37 33 UsoClient.exe 16->33         started        35 WerFault.exe 16->35         started        process5 dnsIp6 56 C:\Windows\SysWOW64\occache\dwm.exe, PE32 18->56 dropped 58 C:\Windows\SysWOW64\netmsg\lsass.exe, PE32 18->58 dropped 60 C:\Windows\SysWOW64\...\sihost.exe, PE32 18->60 dropped 64 6 other malicious files 18->64 dropped 39 cmd.exe 1 18->39         started        66 192.168.2.1 unknown unknown 21->66 62 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 21->62 dropped 68 45.129.96.25, 49742, 49752, 49758 GMHOST-EE Estonia 28->68 98 Tries to harvest and steal browser information (history, passwords, etc) 28->98 100 Tries to steal Crypto Currency Wallets 28->100 file7 signatures8 process9 process10 41 sihost.exe 39->41         started        44 w32tm.exe 1 39->44         started        46 conhost.exe 39->46         started        48 chcp.com 1 39->48         started        signatures11 92 Multi AV Scanner detection for dropped file 41->92 94 Drops executables to the windows directory (C:\Windows) and starts them 41->94 96 Injects a PE file into a foreign processes 41->96 50 sihost.exe 41->50         started        52 WerFault.exe 41->52         started        54 w32tm.exe 1 44->54         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4b356bb2813fcbcab1930a5e3687d600e54e4c0e603e17acd630e70ba27d960e/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-09-12 19:52:00 UTC
AV detection:
14 of 38 (36.84%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jm2wxmubh7f4vmmtbjpdnb6wadsu4taoma7bplgwgdtqxit5syha._file
Verdict:
malicious
Similar samples:
2f09f4d2b8e06f116dd784829712dcd3bb9528e580ccf6313e4c99fbb89a7792
DCRat
3b20be034ea25bcf142fe6d985c38918bde59c780b3ac7bdef4f0b88048f5dd0
DCRat
427eaaff3e1ad963dcb643bbc7c81a6338b544816ef22924c7b5d62a5ae55f70
DCRat
51b8434c68594113a4036358e477fe1ae1b4cc0b99d653b224250e24537d87e2
DCRat
d7fa1b64c4a5a79700791c113b5b2594a2194a8ca83bf18494337ef12d88fdb6
DCRat
f28cc0f1f1a0408490a39ab982477aa19dc7b199c599e9f9a89e62f2f423a24d
DCRat
+ 155 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence spyware stealer
Link:
https://tria.ge/reports/210914-grg5safae5/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Process spawned unexpected child process
Unpacked files
SH256 hash:
49dd10bf34acb11a37a3b3250ab70f542b1739f74ef7ab4e90634520e7994795
MD5 hash:
9d9c165c33e6fc4fa90ab538695b74c3
SHA1 hash:
cb6a70b457625e5eeafd12464e883b7c9c78229c
Link:
https://www.unpac.me/results/5d83bda3-1ea8-43e4-9344-c6ef256f6c29/
SH256 hash:
4fdf0cc45012ea72678afa2ef7abb8869e532c988ce9a89f2178c1ab79c8ae0d
MD5 hash:
f4e6e7c7bbdb53b7e9dccfee224d83e1
SHA1 hash:
944b79f0de0990d3f68f65fe76b47a071c62d8d0
Link:
https://www.unpac.me/results/5d83bda3-1ea8-43e4-9344-c6ef256f6c29/
SH256 hash:
e8e6c386db30eabc07d224db538d397a131347728549bcbc0ecf80644b91d80d
MD5 hash:
0ac36ed61957a036bd8a0e729f7e940c
SHA1 hash:
ff8b9fd4c33f1a39f81d5f347fa56d3e0ac3396f
Link:
https://www.unpac.me/results/5d83bda3-1ea8-43e4-9344-c6ef256f6c29/
SH256 hash:
8063623fd33585184e865ac1f8685446c819841d212bc6c848f8dc4a137960be
MD5 hash:
4abff34e351e4e95514aecb515e8aea3
SHA1 hash:
742702e8c78e7cf19f19e56a6cdb2d1811759710
Link:
https://www.unpac.me/results/5d83bda3-1ea8-43e4-9344-c6ef256f6c29/
SH256 hash:
4b356bb2813fcbcab1930a5e3687d600e54e4c0e603e17acd630e70ba27d960e
MD5 hash:
a2bf89d684e1f4ed51473eac41387e17
SHA1 hash:
6030e17bb7874925075d0361474097bbd6d77b2a
Link:
https://www.unpac.me/results/5d83bda3-1ea8-43e4-9344-c6ef256f6c29/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/4b356bb2813fcbcab1930a5e3687d600e54e4c0e603e17acd630e70ba27d960e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/187644/

Comments