MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4cc156f578777710f3ce0c217664b9830ddfcab407f0c6de0cae10d5501d1ca1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 18


Intelligence 18 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4cc156f578777710f3ce0c217664b9830ddfcab407f0c6de0cae10d5501d1ca1
SHA3-384 hash: ab0e7ea129d4728f4d56cff8e7f3f55972446f7a6bb62ef92c4a3d17365e67344ccb3cbc43ce5e068116a92b719a17da
SHA1 hash: d0292acd8f617ce49e1830bd47e108c4c3f833e2
MD5 hash: 47ca55cdb30db720d739bfb73504b928
humanhash: fish-east-fifteen-nebraska
File name:47CA55CDB30DB720D739BFB73504B928.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:13'752'832 bytes
First seen:2024-05-31 00:55:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 94400fe3e62cd2376124312fe435b8e4 (5 x DCRat, 4 x RemcosRAT, 3 x njrat)
ssdeep 393216:cjMG3LZAmatuaWyJbpuSvTW00xyysfbtNcEH:cjr6matuapuSrW00xl4wEH
Threatray 523 similar samples on MalwareBazaar
TLSH T1DDD63345EBAAB523E16489F46B3C633BD86DC9C3C9C79631B08851D841F0B098FE5EE5
TrID 83.6% (.EXE) Win32 Executable MS Visual C++ 4.x (134693/65)
4.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.7% (.EXE) Win32 Executable (generic) (4504/4/1)
1.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://a0985805.xsph.ru/59f76ddc.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
514
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
4cc156f578777710f3ce0c217664b9830ddfcab407f0c6de0cae10d5501d1ca1.exe
Verdict:
Malicious activity
Analysis date:
2024-05-31 00:58:02 UTC
Tags:
rat dcrat remote darkcrystal
Link:
https://app.any.run/tasks/31f295cc-c4ed-4c79-8f34-6024d1ec2264

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.Agent-346908
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6659203920ad30d287677461win7simulatehigh_evasion
Tags:
Banker Execution Generic Other Stealth Atraps Dexter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Searching for the window
Searching for synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a file in the Program Files subdirectories
Creating a file in the Windows subdirectories
Unauthorized injection to a recently created process
Enabling autorun with the shell\open\command registry branches
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin packed shell32
Link:
https://www.filescan.io/uploads/6659202332eca5b280012718/reports/cb1fcf95-665f-47a6-a492-4c0a5b6fa8a3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/4cc156f578777710f3ce0c217664b9830ddfcab407f0c6de0cae10d5501d1ca1
Result
Verdict:
MALICIOUS
Malware family:
KeyBase
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2e93cd71-6bec-434c-a04b-21d2fdb1884b
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1449910
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates files with lurking names (e.g. Crack.exe)
Creates processes via WMI
Drops PE files to the user root directory
Drops PE files with benign system names
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Sigma detected: Files With System Process Name In Unsuspected Locations
Tries to detect debuggers (CloseHandle check)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1449910 Sample: RFAwChXSve.exe Startdate: 31/05/2024 Architecture: WINDOWS Score: 100 89 Multi AV Scanner detection for domain / URL 2->89 91 Found malware configuration 2->91 93 Antivirus detection for URL or domain 2->93 95 13 other signatures 2->95 11 RFAwChXSve.exe 10 2->11         started        15 RDMwYUvZPK.exe 2->15         started        18 RDMwYUvZPK.exe 2->18         started        process3 dnsIp4 71 C:\Users\user\...\RobloxPlayerLauncher.exe, PE32 11->71 dropped 73 C:\Users\...\AkrienPremiumCrackByHurminka.exe, PE32 11->73 dropped 117 Creates files with lurking names (e.g. Crack.exe) 11->117 20 AkrienPremiumCrackByHurminka.exe 10 11->20         started        24 RobloxPlayerLauncher.exe 1 38 11->24         started        85 141.8.194.203 SPRINTHOSTRU Russian Federation 15->85 file5 signatures6 process7 dnsIp8 55 C:\Users\user\...\AkrienPremiumCrack.exe, PE32+ 20->55 dropped 57 C:\Users\user\AppData\...\AkrienCrack.exe, PE32 20->57 dropped 99 Antivirus detection for dropped file 20->99 101 Multi AV Scanner detection for dropped file 20->101 103 Machine Learning detection for dropped file 20->103 105 Creates files with lurking names (e.g. Crack.exe) 20->105 27 AkrienCrack.exe 3 6 20->27         started        31 AkrienPremiumCrack.exe 7 17 20->31         started        79 128.116.119.3 ROBLOX-PRODUCTIONUS United States 24->79 81 13.224.189.122 AMAZON-02US United States 24->81 83 23.201.248.158 AKAMAI-ASUS United States 24->83 59 C:\Users\user\...\RobloxPlayerLauncher.exe, PE32 24->59 dropped 61 C:\Users\user\...\RobloxPlayerLauncher[1].exe, PE32 24->61 dropped 107 Tries to detect virtualization through RDTSC time measurements 24->107 34 RobloxPlayerLauncher.exe 20 24->34         started        file9 signatures10 process11 dnsIp12 75 C:\Browserfont\refdhcp.exe, PE32 27->75 dropped 77 C:\Browserfont\ilq5gxa6sOuB.vbe, data 27->77 dropped 119 Antivirus detection for dropped file 27->119 121 Multi AV Scanner detection for dropped file 27->121 123 Machine Learning detection for dropped file 27->123 36 wscript.exe 27->36         started        87 104.21.68.54 CLOUDFLARENETUS United States 31->87 125 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 31->125 127 Tries to evade analysis by execution special instruction (VM detection) 31->127 129 Tries to detect debuggers (CloseHandle check) 31->129 131 3 other signatures 31->131 file13 signatures14 process15 signatures16 97 Windows Scripting host queries suspicious COM object (likely to drop second stage) 36->97 39 cmd.exe 36->39         started        process17 process18 41 refdhcp.exe 39->41         started        45 conhost.exe 39->45         started        file19 63 C:\Windows\en-US\RuntimeBroker.exe, PE32 41->63 dropped 65 C:\Windows\...\RDMwYUvZPK.exe, PE32 41->65 dropped 67 C:\Users\user\RDMwYUvZPK.exe, PE32 41->67 dropped 69 11 other malicious files 41->69 dropped 109 Antivirus detection for dropped file 41->109 111 Multi AV Scanner detection for dropped file 41->111 113 Machine Learning detection for dropped file 41->113 115 4 other signatures 41->115 47 schtasks.exe 41->47         started        49 schtasks.exe 41->49         started        51 schtasks.exe 41->51         started        53 26 other processes 41->53 signatures20 process21
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4cc156f578777710f3ce0c217664b9830ddfcab407f0c6de0cae10d5501d1ca1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4cc156f578777710f3ce0c217664b9830ddfcab407f0c6de0cae10d5501d1ca1/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-05-25 11:51:17 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jtavn5lyo53rb46obqqxmzfzqmg57svua7ymnxqmvyinkua5dsqq._file
Verdict:
malicious
Similar samples:
00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e
DCRat
a5f4363625928d7fb64087212bd9d094972260739b274f44b53bbbd5be6d19b7
DCRat
df4138a66646a5635fcb28efd5b0e7a8df86a67b77e9105516b83cca0233c34a
DCRat
e131950a925158b637f77523a77a2c5566f5b4b102a84a703b979b603e199ce4
DCRat
+ 513 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat discovery evasion infostealer persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/240531-bacwvagg5v/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Detected Akrien Game Cheat
Enumerates physical storage devices
Drops file in Program Files directory
Checks system information in the registry
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Checks whether UAC is enabled
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Registers COM server for autorun
Downloads MZ/PE file
Sets file execution options in registry
DCRat payload
DcRat
Process spawned unexpected child process
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b0cfceaf-a928-473b-8aa1-ea3d5176a604
Unpacked files
SH256 hash:
73ff007b685023ead1e8a9840b6717f2b3cedd1d005ce578106e08bae0afdf43
MD5 hash:
ef0f547dfef34380202700fdeddc1cc8
SHA1 hash:
7beea5749f899d22f2270d317f48a4c049bf2c9e
Link:
https://www.unpac.me/results/7dec497a-38b1-4d20-9c2e-8b58a10d40a3/
SH256 hash:
b11ad1adfa96eacf5f18cf87785884947a6d35a1baebf4f20f16402b04d5109f
MD5 hash:
89bf0f7e9adf290c6d571eccf79206a9
SHA1 hash:
65f95791234ff93bc3e35f1d35d7a6664872dc56
Detections:
win_xorist_auto
Create hunting rule
Link:
https://www.unpac.me/results/7dec497a-38b1-4d20-9c2e-8b58a10d40a3/
Parent samples :
d5775aecd2e8d149e2b9ba576ddc2db3624a974cafc8fc1df318226fc2c6d4b4
8e997bef9ad61722cb7b782da93b7373acd19dbdc4cb91b47e80280e2100b6a3
5ba1b028da2c0e52c38c7a55bf1e7952cc50c907576ec2f22b6a25d691dde2d6
be15d47389920ab9637eefc24bbf6c191607013a3d2608c1243a377aacb5d4ce
f027301d00c6bc4b1c87e5e3266775f395907fa04e2c768b7082381d60880f82
b1088573c2e783e97fb07ccf1d8d8e9372ccd8983cc07c7ee9c6989a3844b334
e5c9d1b6f77188c03e94713b41f00afc6d12e6f82daf3604d5f34c584c2389ff
45e1440acf3453915252d0d61ffcee6fd96170ccf2323c16178dfaaa186565f8
1a659b2d6922bd1ea186c53148094c26733368e9099ea037a83912c02a59d410
f733fbe95a7fe8a2c0ef459b05fed88b7a295de5e39c591bf62d3e0a5575e6fc
658b0a01404144b5da03574e2a05b6c02030baa2276b9e047174c6ccb3e8918d
cf4efad0b9d74151b09be4acfb12d1aea2a9e316b97a2eb7f4ca8ac12b0e6d8c
381bb149e04bec8f62336cdf3c81741c2c7a471f6dacc2f7835eb174643abad7
284f083103d1c160d9e4721ecce515646ce451a1b7ddf9dd89817904e21a4a2d
1a39cff5d5b0b550cd9b30f08c0e32430c2e1b92aecc663d4151789e54d13f64
1b881d8c3ba53e9b250de6d1118a27738fd8e88fd475e3e01afabd4e627f83a2
e0abb4fa147097a4fb1758ed20b7d1a54f020d0de2d8144a2beaec404acb4d4c
2ec983b4653f6a5ee028e9ecfa37d8cf2404a10e9691bb8ed39023be643ef55e
797bbd3d5e08ab4919540911ab6149be0c6f38de3659378bf38fc5ac01ccee48
4cc156f578777710f3ce0c217664b9830ddfcab407f0c6de0cae10d5501d1ca1
4d908524b238846077a6fb1df34be93ae926e13c15bb8ac5c45a8980ef4862ce
581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892
8ac5083f52da0ff312259331f65b326782803aa837a7b371a6d43a021b0c24c3
7816a1291d7c035b81b68f8e5f65e10f952beb2bf1ce9d125bfe9d44a378ee9f
e1a60229372db9d65dbadfe6db923edf3987ac9f908878491bd12497613324d8
41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5
ab71530434f64e6aa105732c42dbb5a409ac0aae4258b3c3e7db1a7d5914cc30
3b88fdeb5144b0f3a710b42cefa937e57aed28001acb82562229472ce258a124
70fbebc77d5f37a0ffd373be6ee9f218a5ea30b86e395e7212b850f0f6934b6f
294003b3626890da222c7aeb34f7ac71cec614026c686fd88df269cc175a0e8c
a6ca0d0f6c47f310778e8d3a82f96ce6b6e70e1248a17f73fda6dff59653b761
9e90c1219aac375230e375f3d641f6b1edb2968acb41d542528ad744714c9b35
1d6628a6cd66f3dd7f3377ee1c30e8a92cedb1d40f5a121b84e5ab84a0e19909
841eb644979b3c640761762645c9cd26f9bb46e558eaeb7bf0c2a79e761878f4
1b304c8a2ae4546bd7958c7f22becaf6b682a5c88b7a01945a952de991b0ef0b
693cf45b243073eeb5479f4b29ff36c417b858b042363cf1a53d7623504a6d29
f9fd2f63fb1b73be1e960ab5a6572aa6968279e56a95bb846fa7ea4110ab867c
5680eb1ffa1fac4f1c5a78024331ff7dd8982138d89d2df4ec56996b44c9cc99
48be2502fad84657b383c41b2616f34a029f9a39d63aae1a1714faf7ba79e3da
SH256 hash:
04738cc657834b137d9eef7a0458a8d96c5ad984b734f5639e9bda24da3cb4d4
MD5 hash:
55a77ef61d615cb74c2adc227aebdaa6
SHA1 hash:
8296ed6e1b2a27212ec4c9f461d496e4a09c68bc
Link:
https://www.unpac.me/results/7dec497a-38b1-4d20-9c2e-8b58a10d40a3/
SH256 hash:
4cc156f578777710f3ce0c217664b9830ddfcab407f0c6de0cae10d5501d1ca1
MD5 hash:
47ca55cdb30db720d739bfb73504b928
SHA1 hash:
d0292acd8f617ce49e1830bd47e108c4c3f833e2
Link:
https://www.unpac.me/results/7dec497a-38b1-4d20-9c2e-8b58a10d40a3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4cc156f578777710f3ce0c217664b9830ddfcab407f0c6de0cae10d5501d1ca1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::GetWindowsDirectoryA
kernel32.dll::GetSystemDirectoryA
kernel32.dll::GetTempPathA
WIN_USER_APIPerforms GUI Actionsuser32.dll::CreateWindowExA

Comments