MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c92baaa64edfd48774deb9abaa4b22179ebaabd0e2db23b6bba69800a4885e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c92baaa64edfd48774deb9abaa4b22179ebaabd0e2db23b6bba69800a4885e7
SHA3-384 hash: e382ac1ff13e284fbc63d657ae58735e4b714a40dde79c88f4a431daae8345859386b98a1b28b060747bd3fe22540788
SHA1 hash: 06d6fbe25bde393bffc4817510b5dea3779bedc7
MD5 hash: 46ca8e4f9e2223cc396e996a0ae85202
humanhash: west-single-dakota-blue
File name:4c92baaa64edfd48774deb9abaa4b22179ebaabd0e2db23b6bba69800a4885e7
Download: download sample
Signature DCRat
Create hunting rule
File size:487'004 bytes
First seen:2021-02-28 23:01:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4bb6c97d0fd6fbaeabdd43515fbc6b28 (17 x DCRat, 1 x NanoCore)
ssdeep 12288:3o4JzBT1gv4sY+tnAu+eAqOSmEnEbZaFm1xn9ApEw:3nsFAu8FBEiZac1xn9AX
Threatray 414 similar samples on MalwareBazaar
TLSH ACA4239B03E96E21D8106472E271CE20621A3DB7392D46B167A4F71FF44D690BEC93DB
Reporter c3rb3ru5d3d53c2
Tags:DCRat


Avatar
c3rb3ru5d3d53c
@c3rb3ru5d3d53c Live Hunt

Intelligence

File Origin
# of uploads :
1
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4c92baaa64edfd48774deb9abaa4b22179ebaabd0e2db23b6bba69800a4885e7
Verdict:
Malicious activity
Analysis date:
2021-02-28 23:04:06 UTC
Tags:
rat backdoor dcrat trojan evasion stealer
Link:
https://app.any.run/tasks/359521a8-49c7-49be-b62f-3d513a4034b7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/120068/
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

Win.Malware.Rasftuby-9219744-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file in the Program Files subdirectories
Launching a process
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Enabling the 'hidden' option for recently created files
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking a possibility to launch for the Windows Task Manager (taskmgr)
Setting a global event handler for the keyboard
Creating a file in the mass storage device
Stealing user critical data
Enabling autorun by creating a file
Enabling threat expansion on mass storage devices by creating the autorun.inf autorun file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/621524
Signature
.NET source code contains in memory code execution
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates multiple autostart registry keys
Disables the Windows task manager (taskmgr)
Drops PE files with benign system names
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 359755 Sample: s91yJJUygE Startdate: 01/03/2021 Architecture: WINDOWS Score: 100 101 Found malware configuration 2->101 103 Antivirus detection for dropped file 2->103 105 Antivirus / Scanner detection for submitted sample 2->105 107 12 other signatures 2->107 13 s91yJJUygE.exe 3 6 2->13         started        16 csrss.exe 3 2->16         started        19 Idle.exe 2->19         started        21 6 other processes 2->21 process3 file4 73 C:\perffont\5PeQnYbsJ8L69rVS6Xl8.exe, PE32 13->73 dropped 23 wscript.exe 1 13->23         started        85 Antivirus detection for dropped file 16->85 87 Machine Learning detection for dropped file 16->87 89 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->89 signatures5 process6 dnsIp7 77 192.168.2.1 unknown unknown 23->77 26 cmd.exe 1 23->26         started        process8 signatures9 119 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 26->119 29 5PeQnYbsJ8L69rVS6Xl8.exe 6 26->29         started        32 conhost.exe 26->32         started        process10 file11 75 C:\perffont\sessionfont.exe, PE32 29->75 dropped 35 wscript.exe 1 29->35         started        91 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 32->91 signatures12 process13 process14 37 cmd.exe 1 35->37         started        process15 39 sessionfont.exe 5 11 37->39         started        43 reg.exe 37->43         started        45 conhost.exe 37->45         started        file16 65 C:\perffont\csrss.exe, PE32 39->65 dropped 67 C:\Recovery\ctfmon.exe, PE32 39->67 dropped 69 C:\Program Files\...\dllhost.exe, PE32 39->69 dropped 71 2 other malicious files 39->71 dropped 109 Antivirus detection for dropped file 39->109 111 Machine Learning detection for dropped file 39->111 113 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 39->113 117 3 other signatures 39->117 47 ctfmon.exe 39->47         started        51 schtasks.exe 1 39->51         started        53 schtasks.exe 1 39->53         started        55 2 other processes 39->55 115 Disables the Windows task manager (taskmgr) 43->115 signatures17 process18 dnsIp19 79 loveme123.tk 185.84.108.9, 49730, 80 MAJORDOMORU Russian Federation 47->79 81 api.telegram.org 149.154.167.220, 443, 49731 TELEGRAMRU United Kingdom 47->81 83 ipinfo.io 216.239.38.21, 443, 49732 GOOGLEUS United States 47->83 93 Antivirus detection for dropped file 47->93 95 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 47->95 97 Machine Learning detection for dropped file 47->97 99 2 other signatures 47->99 57 conhost.exe 51->57         started        59 conhost.exe 53->59         started        61 conhost.exe 55->61         started        63 conhost.exe 55->63         started        signatures20 process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4c92baaa64edfd48774deb9abaa4b22179ebaabd0e2db23b6bba69800a4885e7/
Threat name:
Win32.Trojan.Strictor
Create hunting rule
Status:
Malicious
First seen:
2021-02-28 13:44:58 UTC
File Type:
PE (Exe)
Extracted files:
75
AV detection:
29 of 48 (60.42%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
026e27e7f9ed14e29d3f9feffd83f8c83b88291439c5f1376d264504b832c2ca
DCRat
148feabec33f94aece0555b58ff452996a62c1b1437b1a01aebef8541c80e3b6
DCRat
3f1d6522a3dc9c69310b7c960788de537186c1256dae425eac2cf07c66dd3ab8
DCRat
50444a618ccea3cc6b93088378260b2fab89b5b92d4b06f27fc2e8a58b950c79
DCRat
7125ff46ae7468216b1764b9e22b5811d4890f33a237776c6cbf22c8d8f09bbc
DCRat
82461c1d69debb531d7e1fb5fa15867797d13636e3f88e0b831aed9491d44c49
DCRat
a7419640b97af3b82eba614a5595b48b8fe5fd904fea36cbf499468f51b38475
DCRat
b3f70398a3cccd64b165ef13c19ee9cb0e94f5743bf0a6147148044bcb0e485e
DCRat
bf375d5c15abb5c57b0cc3371a3537b79560fe82b1aff486afde752e05971ebb
DCRat
c84d34fac4693d44191e1d297b14f60978794ffdb95258d0fce3b89e61285e2d
DCRat
+ 404 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion persistence spyware upx
Link:
https://tria.ge/reports/210228-8dcddlnhtx/
Behaviour
Creates scheduled task(s)
Modifies registry class
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Disables Task Manager via registry modification
Executes dropped EXE
Unpacked files
SH256 hash:
d3d311a91e2947347307bb812d9ee6d7f5c40601553853cbf5a46cea3646dd3c
MD5 hash:
a4f485b0282cd625a1637087abf710f6
SHA1 hash:
1fd2ed1ffba511add04fbd6365595eb52f64c61f
Link:
https://www.unpac.me/results/d9ccb3bd-2329-4b82-8279-7dac1513a0df/
SH256 hash:
4c92baaa64edfd48774deb9abaa4b22179ebaabd0e2db23b6bba69800a4885e7
MD5 hash:
46ca8e4f9e2223cc396e996a0ae85202
SHA1 hash:
06d6fbe25bde393bffc4817510b5dea3779bedc7
Link:
https://www.unpac.me/results/d9ccb3bd-2329-4b82-8279-7dac1513a0df/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/4c92baaa64edfd48774deb9abaa4b22179ebaabd0e2db23b6bba69800a4885e7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:upx_packed
Create hunting rule
Description:UPX packed file

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://www.virustotal.com/gui/file/4c92baaa64edfd48774deb9abaa4b22179ebaabd0e2db23b6bba69800a4885e7/details
  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/120068/

Comments