MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 587ccc1e9cb1ab35402bd58787fa9f02646f9561f8f7906d09095a62fbc9149f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 7


Intelligence 7 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 587ccc1e9cb1ab35402bd58787fa9f02646f9561f8f7906d09095a62fbc9149f
SHA3-384 hash: ac84184c6a5b258c5b08bede479091abb5c3516358f8e7981d1420136a6634522af52aa8b650547e38b5aaa386842c99
SHA1 hash: e393d3b8a8f8802323cd612571321609a92ba616
MD5 hash: c49b3f311acc59e9c99b55c2ada71002
humanhash: finch-tango-august-maine
File name:C49B3F311ACC59E9C99B55C2ADA71002.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'035'264 bytes
First seen:2021-07-17 14:56:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:mlob+TyRxEqSiykEm3S1zMvmqF+uKuFnJYpHoiC0rbDpMRMb7cCZpkl9m:msmb+EQ
Threatray 11 similar samples on MalwareBazaar
TLSH T19325078937E59E96C54C977958B1068A97608302BFA3B71342B19E6C0ED33DB5E4CF83
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://217.28.221.114/game/traceCamtracepool/Prefpool/gameprodrulemobile/phptracescriptboot/generatorPythonmobilemobile/searchermessageanti/screenscreen/htop/script/geoauthserver.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://217.28.221.114/game/traceCamtracepool/Prefpool/gameprodrulemobile/phptracescriptboot/generatorPythonmobilemobile/searchermessageanti/screenscreen/htop/script/geoauthserver.php https://threatfox.abuse.ch/ioc/160895/

Intelligence

File Origin
# of uploads :
1
# of downloads :
170
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
C49B3F311ACC59E9C99B55C2ADA71002.exe
Verdict:
Malicious activity
Analysis date:
2021-07-17 14:57:03 UTC
Tags:
trojan rat backdoor dcrat
Link:
https://app.any.run/tasks/dd1b59b8-0b40-4072-9146-37e59052356e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172339/
Detection(s):
SecuriteInfo.com.Variant.Adware.BrowseFox.62.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8bf1305c-ab9b-49c6-bf74-3d03a3ba28ad
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/817826
Signature
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/587ccc1e9cb1ab35402bd58787fa9f02646f9561f8f7906d09095a62fbc9149f/
Threat name:
ByteCode-MSIL.Backdoor.LightStone
Create hunting rule
Status:
Malicious
First seen:
2021-07-14 19:04:00 UTC
File Type:
PE (.Net Exe)
AV detection:
26 of 46 (56.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lb6myhu4wgvtkqbl2wdyp6u7ajsg7flb7d3za3ijbfngf66jcspq._file
Verdict:
unknown
Similar samples:
27b1723e770a97166455a9b7edd4c7e3ee89ac046ef8dad51f7a48ac7c71c006
DCRat
54d7969a09d2ad3dcf82a96a0fce4e3fc5bbb6ee26d01a0b8517f364b5431217
DCRat
a9d6aa7ef3fde33eb2df6b9c3ec92965f066049cacba533ffc09a877133b809e
DCRat
ac1976494d19c9e673c6ae69a2e88b5901ad494d57d5d942cef0121232772132
DCRat
c07d9b494ee6dad4baa8ad39b37af05488278e8823b81feab25f359ccdc390bd
DCRat
cf84be2a0d26ffd76a445e6a288e1dc9d61ff01bd00e9c4dac583e86215c207f
DCRat
+ 1 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/210717-cnm15sysba/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
9ce056e4730308892fbdc7df096b91bfa3d3ff94cc8dbb8baa6206bed5037884
MD5 hash:
e83b924500beaf202c41c5a9a3338ce5
SHA1 hash:
109bb696796f5dee76d6225a51561bb4a4cd071c
Link:
https://www.unpac.me/results/4ba1ae61-ec0e-41da-83ce-fc59d9e4b734/
SH256 hash:
587ccc1e9cb1ab35402bd58787fa9f02646f9561f8f7906d09095a62fbc9149f
MD5 hash:
c49b3f311acc59e9c99b55c2ada71002
SHA1 hash:
e393d3b8a8f8802323cd612571321609a92ba616
Link:
https://www.unpac.me/results/4ba1ae61-ec0e-41da-83ce-fc59d9e4b734/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.50
Link:
https://yomi.yoroi.company/submissions/587ccc1e9cb1ab35402bd58787fa9f02646f9561f8f7906d09095a62fbc9149f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172339/

Comments