MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ce7656c38f73b3580594e7850ccc1723340ba789b233c248861b0e08e52d8d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ce7656c38f73b3580594e7850ccc1723340ba789b233c248861b0e08e52d8d4
SHA3-384 hash: 2ee399550ec2b6f9875fcbb6d9d45f1dd11e3a6dff6d57fb0da53e13327c2f54878ab504f4fc6616b9ab595a475f740a
SHA1 hash: 4630278e8685554605a1163734090755f93bb603
MD5 hash: f6554abbd3e494bce4d00fe2d487cacc
humanhash: india-saturn-bakerloo-jersey
File name:4ce7656c38f73b3580594e7850ccc1723340ba789b233c248861b0e08e52d8d4
Download: download sample
Signature DCRat
Create hunting rule
File size:2'728'468 bytes
First seen:2021-02-28 17:04:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 069407361307fa34b23ade96ab2d8363 (16 x DCRat, 1 x CobaltStrike, 1 x RedLineStealer)
ssdeep 49152:UoU9ArCeZcziSLnmPfRmZDJra5l7GR8pTL+wUL0GyM3Mm+z3jshvMl7VNce:yC6zisnUJ5TGRqTL+w1u3XvMl7VN5
Threatray 27 similar samples on MalwareBazaar
TLSH 55C53344CBB00EA4E6B2FE75D95F6C9D3462FA7F7969C3066401E0ADC903B362AD2741
Reporter c3rb3ru5d3d53c2
Tags:DCRat


Avatar
c3rb3ru5d3d53c
@c3rb3ru5d3d53c Live Hunt

Intelligence

File Origin
# of uploads :
1
# of downloads :
474
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4ce7656c38f73b3580594e7850ccc1723340ba789b233c248861b0e08e52d8d4
Verdict:
Malicious activity
Analysis date:
2021-02-28 17:07:04 UTC
Tags:
trojan rat backdoor dcrat evasion
Link:
https://app.any.run/tasks/af500af0-f7b4-47e8-94f2-69dce798ff24

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
EnigmaStub
Create hunting rule
Link:
https://www.capesandbox.com/analysis/120031/
Detection(s):
PUA.Win.Packer.EnigmaProtector-19
Create hunting rule

PUA.Win.Packer.EnigmaProtector-1
Create hunting rule

Win.Packed.Msilperseus-9497542-0
Create hunting rule

Win.Trojan.Njrat-9757230-0
Create hunting rule

Win.Malware.Uztuby-9774369-0
Create hunting rule

Win.Dropper.Nanocore-9774881-0
Create hunting rule

Win.Malware.Uztuby-9797514-0
Create hunting rule

Win.Malware.Uztuby-9836295-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Sending a UDP request
Creating a file in the Program Files subdirectories
Launching a process
Sending an HTTP GET request
DNS request
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Enabling the 'hidden' option for recently created files
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking a possibility to launch for the Windows Task Manager (taskmgr)
Creating a file in the mass storage device
Stealing user critical data
Enabling autorun by creating a file
Enabling threat expansion on mass storage devices by creating the autorun.inf autorun file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/621412
Signature
.NET source code contains in memory code execution
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an autostart registry key pointing to binary in C:\Windows
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Disables the Windows task manager (taskmgr)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: System File Execution Location Anomaly
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 359698 Sample: B6y0K6Fwnh Startdate: 28/02/2021 Architecture: WINDOWS Score: 100 76 Found malware configuration 2->76 78 Antivirus detection for dropped file 2->78 80 Antivirus / Scanner detection for submitted sample 2->80 82 13 other signatures 2->82 13 B6y0K6Fwnh.exe 3 6 2->13         started        17 uLmEmbzGaFVTvg.exe 3 2->17         started        19 lsass.exe 2->19         started        21 3 other processes 2->21 process3 file4 74 C:\drivercrt\kJ91X9n17bEumqaECHde.exe, PE32 13->74 dropped 94 Detected unpacking (changes PE section rights) 13->94 96 Hides threads from debuggers 13->96 23 wscript.exe 1 13->23         started        98 Antivirus detection for dropped file 17->98 100 Machine Learning detection for dropped file 17->100 102 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 17->102 signatures5 process6 process7 25 cmd.exe 1 23->25         started        process8 27 kJ91X9n17bEumqaECHde.exe 6 25->27         started        30 conhost.exe 25->30         started        file9 72 C:\drivercrt\reviewruntime.exe, PE32 27->72 dropped 32 wscript.exe 1 27->32         started        process10 process11 34 cmd.exe 1 32->34         started        process12 36 reviewruntime.exe 6 15 34->36         started        40 reg.exe 34->40         started        42 conhost.exe 34->42         started        file13 64 C:\Windows\SKB\LanguageModels\lsass.exe, PE32 36->64 dropped 66 C:\...\ShellExperienceHost.exe, PE32 36->66 dropped 68 C:\Program Files (x86)\...\uLmEmbzGaFVTvg.exe, PE32 36->68 dropped 70 4 other malicious files 36->70 dropped 84 Antivirus detection for dropped file 36->84 86 Machine Learning detection for dropped file 36->86 88 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 36->88 92 4 other signatures 36->92 44 schtasks.exe 1 36->44         started        46 schtasks.exe 1 36->46         started        48 schtasks.exe 1 36->48         started        50 4 other processes 36->50 90 Disables the Windows task manager (taskmgr) 40->90 signatures14 process15 process16 52 conhost.exe 44->52         started        54 conhost.exe 46->54         started        56 conhost.exe 48->56         started        58 conhost.exe 50->58         started        60 conhost.exe 50->60         started        62 conhost.exe 50->62         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4ce7656c38f73b3580594e7850ccc1723340ba789b233c248861b0e08e52d8d4/
Threat name:
Win32.Packed.EnigmaProtector
Create hunting rule
Status:
Malicious
First seen:
2021-02-28 17:05:07 UTC
File Type:
PE (Exe)
Extracted files:
24
AV detection:
27 of 48 (56.25%)
Threat level:
  1/5
Verdict:
malicious
Similar samples:
1840872e8117b0efa252bc324ae2944d5c5b9242c928e3a568ccde06354eec35
DCRat
3b87d209178da51dc473f3c63ba4bf1dd5435ca8b35f6c562d5d7614d3414eba
DCRat
60c8d36d9acc5b958d863d2315fc84aebf0cb2cea7caca3f0055fc2aecd18cdc
DCRat
6a25a9e6507be33ffb55afd80d51a2f00b761417f17ad6fe5399e36e78226c61
DCRat
9410e496d1a29876d153d83af6cf3ffb21d7d072b476d6a8a28497e4b5f4ae63
DCRat
c0258a01a5881d1f5de632d7617a0e225173696db23fb99f72ea1c84e6be396c
DCRat
c84d34fac4693d44191e1d297b14f60978794ffdb95258d0fce3b89e61285e2d
DCRat
d2e32cba0f48d078bfbb00b65652d69b053136c31c85135217dce00aeed80a3c
DCRat
edd956a7bc18bf82d3716d1b7a9a485c7ed665edd53cd9459580e005e2735c17
DCRat
f6a307d243c407c27489de37adac83e9205be531cbb4e2cb71545627faf813fd
DCRat
+ 17 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion persistence spyware
Link:
https://tria.ge/reports/210228-4w3zmjxyns/
Behaviour
Creates scheduled task(s)
Modifies registry class
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Disables Task Manager via registry modification
Executes dropped EXE
Unpacked files
SH256 hash:
93d9ce6291eb10f727da27c487816b29fcba1b907d252f94d11ea0c3a99175fa
MD5 hash:
c7fc3bcb573b112eca27af5ef7192cce
SHA1 hash:
e43a907bdaced88d3c4444844e72d2381e9f1ad7
Link:
https://www.unpac.me/results/0d7973a5-9429-4b9d-814c-67f6706ac971/
SH256 hash:
4ce7656c38f73b3580594e7850ccc1723340ba789b233c248861b0e08e52d8d4
MD5 hash:
f6554abbd3e494bce4d00fe2d487cacc
SHA1 hash:
4630278e8685554605a1163734090755f93bb603
Link:
https://www.unpac.me/results/0d7973a5-9429-4b9d-814c-67f6706ac971/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4ce7656c38f73b3580594e7850ccc1723340ba789b233c248861b0e08e52d8d4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://www.virustotal.com/gui/file/4ce7656c38f73b3580594e7850ccc1723340ba789b233c248861b0e08e52d8d4/details
  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/120031/

Comments