MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 587328521840c2d6fc72391af9027ddba0489878c7bb287058cbad683f6e0191. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 587328521840c2d6fc72391af9027ddba0489878c7bb287058cbad683f6e0191
SHA3-384 hash: d3e73f0757a310de390c19df395c0549f1fb7b63e81170bdcc32992b955b1593ad54f602c8acdc14b925847c9c2bef70
SHA1 hash: 4c104a560d33883c318fc01a124926d45cb623ca
MD5 hash: b55b076e8edc2db3c01e266e297e2571
humanhash: butter-virginia-connecticut-nebraska
File name:Software updated v3.0.4.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:65'024 bytes
First seen:2021-08-07 13:34:34 UTC
Last seen:2021-08-07 14:13:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 768:CgzjK3Y+f0VmrP9bi6DurJNfjDpr3gmPhIrYR3+TJKlVLD27/hxewKE9n9woZ0o4:vK0gR7urLj9gjysJA6NxeJE9n6oe00h
Threatray 680 similar samples on MalwareBazaar
TLSH T18D53F602B7884351C46875B180FF093503E5BDCB6F32EA997F9827CD1D023E7AD46AA9
Reporter Anonymous
Tags:DCRat exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
201
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://dropmefiles.com/aLXUB
Verdict:
Malicious activity
Analysis date:
2021-08-07 09:58:07 UTC
Tags:
loader evasion
Link:
https://app.any.run/tasks/ba6fa0fb-c9a9-4261-a189-031c1266cccf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/177159/
Detection(s):
SecuriteInfo.com.Heur.MSIL.Bladabindi.1.12397.30625.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Connection attempt
Sending an HTTP GET request
DNS request
Sending a custom TCP request
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/982c19f8-870e-4af8-8b88-be48ffe8f9d5
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/828631
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large strings
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Connects to a pastebin service (likely for C&C)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 461062 Sample: Software updated v3.0.4.exe Startdate: 07/08/2021 Architecture: WINDOWS Score: 100 138 sanctam.net 2->138 140 prda.aadg.msidentity.com 2->140 142 3 other IPs or domains 2->142 176 Multi AV Scanner detection for domain / URL 2->176 178 Antivirus detection for URL or domain 2->178 180 Antivirus detection for dropped file 2->180 182 16 other signatures 2->182 12 Software updated v3.0.4.exe 14 7 2->12         started        16 wermgr.exe 2->16         started        19 wermgr.exe 2->19         started        21 5 other processes 2->21 signatures3 process4 dnsIp5 144 83.220.173.160, 49710, 49729, 49732 THEFIRST-ASRU Russian Federation 12->144 146 iplogger.org 88.99.66.31, 443, 49715 HETZNER-ASDE Germany 12->146 148 192.168.2.1 unknown unknown 12->148 128 C:\Users\user\AppData\...\intobroker.exe, PE32 12->128 dropped 130 C:\Users\user\AppData\...\Datafile64.exe, PE32+ 12->130 dropped 132 C:\Users\user\AppData\...\Datafile32.exe, PE32+ 12->132 dropped 134 C:\Users\...\Software updated v3.0.4.exe.log, ASCII 12->134 dropped 23 intobroker.exe 12->23         started        27 Datafile32.exe 5 12->27         started        29 Datafile64.exe 5 12->29         started        156 Antivirus detection for dropped file 16->156 158 Multi AV Scanner detection for dropped file 16->158 160 Detected unpacking (changes PE section rights) 16->160 174 4 other signatures 16->174 150 api.telegram.org 149.154.167.220, 443, 49733 TELEGRAMRU United Kingdom 19->150 152 ipinfo.io 34.117.59.81, 443, 49731 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 19->152 162 Query firmware table information (likely to detect VMs) 19->162 164 Tries to harvest and steal browser information (history, passwords, etc) 19->164 166 Hides threads from debuggers 19->166 154 127.0.0.1 unknown unknown 21->154 136 C:\Users\user\AppData\Local\...\svchost64.exe, PE32+ 21->136 dropped 168 Machine Learning detection for dropped file 21->168 170 Adds a directory exclusion to Windows Defender 21->170 172 Tries to detect sandboxes / dynamic malware analysis system (registry check) 21->172 31 cmd.exe 21->31         started        33 cmd.exe 21->33         started        file6 signatures7 process8 file9 120 C:\Windows\PCHEALTH\wermgr.exe, PE32 23->120 dropped 122 C:\Users\user\AppData\Roaming\...\cmd.exe, PE32 23->122 dropped 124 C:\ProgramData\dbg\HxTsr.exe, PE32 23->124 dropped 200 Antivirus detection for dropped file 23->200 202 Multi AV Scanner detection for dropped file 23->202 204 Detected unpacking (changes PE section rights) 23->204 210 4 other signatures 23->210 35 cmd.exe 23->35         started        126 C:\Users\user\AppData\Local\...\svchost32.exe, PE32+ 27->126 dropped 206 Machine Learning detection for dropped file 27->206 208 Adds a directory exclusion to Windows Defender 27->208 38 cmd.exe 1 27->38         started        40 cmd.exe 1 27->40         started        42 cmd.exe 29->42         started        44 cmd.exe 1 29->44         started        46 conhost.exe 31->46         started        48 powershell.exe 31->48         started        50 conhost.exe 33->50         started        signatures10 process11 signatures12 184 Drops executables to the windows directory (C:\Windows) and starts them 35->184 52 svchost32.exe 38->52         started        56 conhost.exe 38->56         started        186 Uses schtasks.exe or at.exe to add and modify task schedules 40->186 188 Adds a directory exclusion to Windows Defender 40->188 58 powershell.exe 23 40->58         started        60 conhost.exe 40->60         started        62 svchost64.exe 42->62         started        64 conhost.exe 42->64         started        66 conhost.exe 44->66         started        68 powershell.exe 44->68         started        process13 file14 116 C:\Windows\System32\services32.exe, PE32+ 52->116 dropped 70 services32.exe 52->70         started        73 cmd.exe 52->73         started        75 cmd.exe 52->75         started        118 C:\Windows\System32\services64.exe, PE32+ 62->118 dropped 192 Machine Learning detection for dropped file 62->192 194 Drops executables to the windows directory (C:\Windows) and starts them 62->194 77 services64.exe 62->77         started        79 cmd.exe 62->79         started        81 cmd.exe 62->81         started        signatures15 process16 signatures17 83 cmd.exe 70->83         started        86 conhost.exe 73->86         started        88 schtasks.exe 73->88         started        98 2 other processes 75->98 196 Machine Learning detection for dropped file 77->196 198 Adds a directory exclusion to Windows Defender 77->198 90 cmd.exe 77->90         started        92 cmd.exe 77->92         started        94 conhost.exe 79->94         started        96 schtasks.exe 79->96         started        100 2 other processes 81->100 process18 signatures19 190 Adds a directory exclusion to Windows Defender 83->190 102 conhost.exe 83->102         started        104 powershell.exe 83->104         started        106 powershell.exe 83->106         started        108 conhost.exe 90->108         started        110 powershell.exe 90->110         started        112 powershell.exe 90->112         started        114 conhost.exe 92->114         started        process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/587328521840c2d6fc72391af9027ddba0489878c7bb287058cbad683f6e0191/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-08-06 04:41:54 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
50575798954fd5dff1f376d1597a3d0ff52f51789c5ae98b48957590b540bcce
DCRat
554280d027e0ca9fac59307569a6352f04371cb55b35301b0a9432069ffc82c3
DCRat
61cafe16ef316179718e8827d2c0d37604639050956b95d1167ce4b1ac601948
DCRat
6a0d05477e23fc1152067fc51d50a044bccf0e0a0654dbae1864df792400e935
DCRat
8c373102d98ba3188c4361deee0bd43f89e4e8785b613a7af99bddd45329303d
DCRat
a3acdf009a9db20af30be0c6fcdcdc27ad9db3ee9a84bc52d9e6f7d30ec42af2
DCRat
b2dadf77d0f5917ce225ee0b177e4d5deb626a81ce33815f176d915ea21ba159
DCRat
c7d53aab1530a4b65da95d7dff43015b845d56095a7a4f6838ccfc1cf45569dc
DCRat
c8b1c11bf16a1052dffb6942d955c31cdad7f0b154e1f855882d4d95359efa54
DCRat
f83b0cd39202e7040eae66dac5444eff5f9d878e3bb778613f1525aba2e3c5de
DCRat
+ 670 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig evasion miner persistence spyware stealer themida trojan
Link:
https://tria.ge/reports/210807-1gpwrx2rjs/
Behaviour
Creates scheduled task(s)
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner Payload
Process spawned unexpected child process
xmrig
Unpacked files
SH256 hash:
587328521840c2d6fc72391af9027ddba0489878c7bb287058cbad683f6e0191
MD5 hash:
b55b076e8edc2db3c01e266e297e2571
SHA1 hash:
4c104a560d33883c318fc01a124926d45cb623ca
Link:
https://www.unpac.me/results/beaf1538-5757-4969-818e-05bd9ee6e8f4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/587328521840c2d6fc72391af9027ddba0489878c7bb287058cbad683f6e0191

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/177159/

Comments