MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4bdab9a6c4d44f4404bf56fd34b5d6d9dd602e88cc02b5b57b09cf7e55e71cb1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4bdab9a6c4d44f4404bf56fd34b5d6d9dd602e88cc02b5b57b09cf7e55e71cb1
SHA3-384 hash: bd4e46499d827519586bbd306f0b9893e5501d80cc62e55554901eb74ddc66bff1fc24a86cbdd511bf30c9504773eed1
SHA1 hash: 1d75900b8763b47da81af317f1e146232d4252dc
MD5 hash: 4d242c5ba8a073fd3bdc6e21d4206297
humanhash: muppet-north-stream-tennis
File name:SecuriteInfo.com.Trojan.Generic.33996402.32730.25858
Download: download sample
Signature DCRat
Create hunting rule
File size:12'691'456 bytes
First seen:2023-06-30 16:54:31 UTC
Last seen:2023-06-30 17:48:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 70 x LummaStealer, 61 x Rhadamanthys)
ssdeep 196608:b73DBivaR4eB+qj8yhn2kg2tpexvMs7pzGQU4Px+FFaZTMZhKTC6QYP:bBi0BE4XIR7pzGNkx+3aZoKTK
Threatray 49 similar samples on MalwareBazaar
TLSH T121D63346EB015229D8B95772C4D2096964FAB4F3AF06B6BF346C5E5E8C27FE04C3E121
TrID 83.0% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
6.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
4.4% (.EXE) Win64 Executable (generic) (10523/12/4)
2.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.8% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter SecuriteInfoCom
Tags:DCRat exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
110
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Trojan.Generic.33996402.32730.25858
Verdict:
Malicious activity
Analysis date:
2023-06-30 16:57:05 UTC
Tags:
rat backdoor dcrat stealer
Link:
https://app.any.run/tasks/618a927a-1e0a-4c53-a5c5-5800e618b017

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/404344/
Detection(s):
SecuriteInfo.com.Trojan.Generic.33996402.32730.25858.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Sending a custom TCP request
Creating a file
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Launching a process
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/94282/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
advpack CAB control explorer installer lolbin lolbin packed remote rundll32 setupapi shell32
Link:
https://www.filescan.io/uploads/649f08e82299d26882639996/reports/806a73c5-ad87-41b4-9d96-9a6f394a338e/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/4bdab9a6c4d44f4404bf56fd34b5d6d9dd602e88cc02b5b57b09cf7e55e71cb1
Result
Verdict:
MALICIOUS
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/47157428-3c7d-446d-9537-8557cc89d638
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1264367
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Drops executable to a common third party application directory
Drops PE files with benign system names
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Yara detected Costura Assembly Loader
Yara detected DCRat
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 897393 Sample: SecuriteInfo.com.Trojan.Gen... Startdate: 01/07/2023 Architecture: WINDOWS Score: 100 48 Snort IDS alert for network traffic 2->48 50 Multi AV Scanner detection for domain / URL 2->50 52 Found malware configuration 2->52 54 14 other signatures 2->54 7 SecuriteInfo.com.Trojan.Generic.33996402.32730.25858.exe 1 4 2->7         started        11 sxDUyFYKxERUMt.exe 2->11         started        13 sxDUyFYKxERUMt.exe 2->13         started        15 28 other processes 2->15 process3 file4 36 C:\Users\user\AppData\...\someperform.exe, PE32 7->36 dropped 38 C:\Users\user\AppData\...\someperfform.exe, PE32+ 7->38 dropped 58 Writes many files with high entropy 7->58 17 someperform.exe 1 7->17         started        60 Injects a PE file into a foreign processes 11->60 signatures5 process6 signatures7 40 Multi AV Scanner detection for dropped file 17->40 42 Machine Learning detection for dropped file 17->42 44 Writes many files with high entropy 17->44 46 2 other signatures 17->46 20 someperform.exe 1 39 17->20         started        24 someperform.exe 17->24         started        26 someperform.exe 17->26         started        process8 file9 28 C:\Users\user\Pictures\...\sxDUyFYKxERUMt.exe, PE32 20->28 dropped 30 C:\Users\user\AppData\...\sxDUyFYKxERUMt.exe, PE32 20->30 dropped 32 C:\Users\Public\Libraries\RuntimeBroker.exe, PE32 20->32 dropped 34 15 other malicious files 20->34 dropped 56 Drops executable to a common third party application directory 20->56 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4bdab9a6c4d44f4404bf56fd34b5d6d9dd602e88cc02b5b57b09cf7e55e71cb1/
Threat name:
Win64.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-06-23 21:35:23 UTC
File Type:
PE+ (Exe)
Extracted files:
57
AV detection:
18 of 37 (48.65%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jpnltjwe2rhuibf7k36tjnow3howaluizqbllnl3bhhx4vphdsyq._file
Verdict:
malicious
Similar samples:
01a9053ceb7d249f6db1ab2c30b5506b4b46cf206279d19d5a77b10b0711aaa7
DCRat
1faa876f1399fb2010efd296d79c43f2b7dda0ec087991d542327515a405540c
DCRat
5ee5e591bb2ef8a32f74e08936129f473c1d66a9c61ca454ad86fd6c9a3451d0
DCRat
7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7
DCRat
bfbf48fb4dd150dbc6c34b309dc308326a5b9ab40defafbe32060236243fe8ba
DCRat
+ 39 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer persistence rat spyware stealer
Link:
https://tria.ge/reports/230630-ve4pxadh95/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
DCRat payload
DcRat
Process spawned unexpected child process
Unpacked files
SH256 hash:
4bdab9a6c4d44f4404bf56fd34b5d6d9dd602e88cc02b5b57b09cf7e55e71cb1
MD5 hash:
4d242c5ba8a073fd3bdc6e21d4206297
SHA1 hash:
1d75900b8763b47da81af317f1e146232d4252dc
Link:
https://www.unpac.me/results/82a5e1c3-963c-4ea7-a86d-aa6b68a81264/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4bdab9a6c4d4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4bdab9a6c4d44f4404bf56fd34b5d6d9dd602e88cc02b5b57b09cf7e55e71cb1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/404344/

Comments