MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 53ab564f89d18f4cd23210668dcb0d704d32083eff9d9f0dd090fd3bb49902f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DCRat

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	53ab564f89d18f4cd23210668dcb0d704d32083eff9d9f0dd090fd3bb49902f3
SHA3-384 hash:	32d595ab9b8558bdbad34c53f4d5ab1c8fb11589159ba3b2c6d0ed32ca80b26f22826f5581b5a45f9114142c11370475
SHA1 hash:	94848e589190aa00da237fd9a541e6d26b9b7009
MD5 hash:	11fadca055fcb753dad2fe6a63eb4d07
humanhash:	lion-pasta-river-harry
File name:	53ab564f89d18f4cd23210668dcb0d704d32083eff9d9f0dd090fd3bb49902f3
Download:	download sample
Signature	DCRat Create hunting rule
File size:	996'864 bytes
First seen:	2021-02-28 07:09:48 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4121f9e3c687a61218814d1f7f6b1057 (4 x TriumphLoader, 1 x DCRat)
ssdeep	24576:WUL+k7GSQTjnOZWkmNZYXjpkZEk74zeCFZ8SbiBYTAii:WUL3SSRxmza9kZF4FbR+BmA
TLSH	99252230B2D0D833E55682310197DBB05D3A30722F7A2DCB7B956AB95E707E2D739289
Reporter	JAMESWT_WT
Tags:	DCRat

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

53ab564f89d18f4cd23210668dcb0d704d32083eff9d9f0dd090fd3bb49902f3

Verdict:

Malicious activity

Analysis date:

2021-02-28 09:18:33 UTC

Tags:

rat backdoor dcrat trojan evasion

Link:

https://app.any.run/tasks/1080bcd0-40ab-461f-922e-eee42888ca4e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/119811/

Detection(s):

Win.Malware.Midie-9836139-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

Sending an HTTP GET request

Sending a UDP request

Creating a window

Creating a file in the %temp% directory

Deleting a recently created file

Reading critical registry keys

DNS request

Sending a custom TCP request

Creating a file

Stealing user critical data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

DCRat

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/621133

Signature

.NET source code contains in memory code execution

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected DCRat

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/53ab564f89d18f4cd23210668dcb0d704d32083eff9d9f0dd090fd3bb49902f3/

Threat name:

Win32.Trojan.Glupteba

Status:

Malicious

First seen:

2021-02-25 01:05:08 UTC

AV detection:

26 of 47 (55.32%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kovvmt4j2ghuzurscbti3synobgtecb676oz6doqsd6txnezalzq._file

Verdict:

suspicious

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware

Link:

https://tria.ge/reports/210228-lcsbxfatcs/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

9403761965c6bc388fd7303f39c61a22edaadd88cfa0c0802b97f9445b33d3d7

MD5 hash:

8fd9f822e16c8cc33742a25ec13b1808

SHA1 hash:

f6fb71951788b5a26e3bad88a293f3b9ebcdce41

Link:

https://www.unpac.me/results/ec21dbf1-205d-469c-809c-e79ddff6c58f/

SH256 hash:

53ab564f89d18f4cd23210668dcb0d704d32083eff9d9f0dd090fd3bb49902f3

MD5 hash:

11fadca055fcb753dad2fe6a63eb4d07

SHA1 hash:

94848e589190aa00da237fd9a541e6d26b9b7009

Link:

https://www.unpac.me/results/ec21dbf1-205d-469c-809c-e79ddff6c58f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/53ab564f89d18f4cd23210668dcb0d704d32083eff9d9f0dd090fd3bb49902f3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/119811/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample