MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5af998eadaf766f821394c52cf9270a0c87a6c579d315782f78ac053b31a133b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5af998eadaf766f821394c52cf9270a0c87a6c579d315782f78ac053b31a133b
SHA3-384 hash: e79d4772d79d99c2b6ec033e5193884756b1614cbf04c33681830dd10fd4695e27549a22762e06c59ec1ba6bdb4bd0cb
SHA1 hash: b9b3828daa659b9664b5334211d41824716be9e2
MD5 hash: 6bcccc49d573e34edb2242d64ab26a31
humanhash: illinois-minnesota-virginia-kansas
File name:6bcccc49d573e34edb2242d64ab26a31.bin.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:3'069'040 bytes
First seen:2023-07-23 07:05:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f6baa5eaa8231d4fe8e922a2e6d240ea (36 x CoinMiner, 22 x DCRat, 15 x LummaStealer)
ssdeep 49152:iy58P4rCQ00csnz1NDXcGaKLSuW/U4/80a07Xh5thb7GUIihPV3CCJqAGcjo4R2f:iy58w+QK2XDsGaeS3/UZ07Xh5D7GShVS
Threatray 45 similar samples on MalwareBazaar
TLSH T116E523A6FAC94CF2E45106B49D919A6A04ABF7091B3C4D83A6F4391348F13D2E53DF4B
TrID 43.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
27.6% (.EXE) Win64 Executable (generic) (10523/12/4)
13.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) OS/2 Executable (generic) (2029/13)
5.2% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 610f0e0f178e4d33 (1 x DCRat)
Reporter abuse_ch
Tags:DCRat exe signed

Code Signing Certificate

Organisation:w5h3hw345hw35hw5
Issuer:w5h3hw345hw35hw5
Algorithm:sha256WithRSAEncryption
Valid from:2023-07-22T00:00:00Z
Valid to:2025-07-22T00:00:00Z
Serial number: 0882ef2654617d56
Intelligence: 5 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 0bee1c11f2065bb755c4b6b0b5197f231e3b175edcf72f917224c1c5a9597de8
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
DCRat C2:
http://193.124.92.72/0flower/5bigload/Longpoll_/47/VoiddbPollLow/CdnLinuxPipeTemporary/Multi/7packet/PublicTestExternal/privateBigloaduploads/sql6Javascript8/Windows/Linux/trafficTesttemp/image/voiddb4Pipe/Generator_/CentralserverServerVm/ExternalVmDlewindows/vmGameTrackLocalPublic.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
335
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
6bcccc49d573e34edb2242d64ab26a31.bin.exe
Verdict:
Malicious activity
Analysis date:
2023-07-23 07:05:31 UTC
Tags:
rat backdoor dcrat stealer loader miner
Link:
https://app.any.run/tasks/e81e8a02-3ba1-4faa-a77b-1316fca25187

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/429487/
Detection(s):
Win.Keylogger.Gencbl-9969771-0
Create hunting rule

Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/5af998eadaf766f821394c52cf9270a0c87a6c579d315782f78ac053b31a133b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f0ca4ab7-e79d-4baf-9804-414dccf39980
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1277856
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Creates processes via WMI
Drops executable to a common third party application directory
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1277856 Sample: 0AWhO6AhzU.exe Startdate: 23/07/2023 Architecture: WINDOWS Score: 100 58 Snort IDS alert for network traffic 2->58 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 8 other signatures 2->64 9 0AWhO6AhzU.exe 8 2->9         started        13 tTHGUAzHHzDzbH.exe 2->13         started        16 cmd.exe 2 2->16         started        18 8 other processes 2->18 process3 dnsIp4 44 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32+ 9->44 dropped 46 C:\Users\user\AppData\Local\Temp\...\7z.dll, PE32+ 9->46 dropped 66 Contains functionality to register a low level keyboard hook 9->66 20 cmd.exe 2 9->20         started        56 193.124.92.72, 49699, 49700, 49701 AS-REGRU Russian Federation 13->56 48 32ed816a19b62a4ba9...96ad36efd7490e2.exe, PE32 13->48 dropped 68 Antivirus detection for dropped file 13->68 70 Machine Learning detection for dropped file 13->70 72 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 13->72 74 Tries to steal Crypto Currency Wallets 13->74 22 wscript.exe 13->22         started        24 wscript.exe 13->24         started        file5 signatures6 process7 process8 26 browserSvc.exe 4 10 20->26         started        30 7z.exe 2 20->30         started        32 7z.exe 3 20->32         started        34 13 other processes 20->34 file9 50 C:\Users\user\Links\tTHGUAzHHzDzbH.exe, PE32 26->50 dropped 52 C:\Program Files (x86)\Adobe\...\cmd.exe, PE32 26->52 dropped 76 Creates processes via WMI 26->76 78 Drops executable to a common third party application directory 26->78 36 cmd.exe 26->36         started        54 C:\Users\user\AppData\...\browserSvc.exe, PE32 30->54 dropped signatures10 process11 process12 38 conhost.exe 36->38         started        40 w32tm.exe 36->40         started        42 browserSvc.exe 36->42         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5af998eadaf766f821394c52cf9270a0c87a6c579d315782f78ac053b31a133b/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Suspicious
First seen:
2023-07-23 07:06:06 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
17 of 25 (68.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ll4zr2w265tpqijzjrjm7etqudehu3cxtuyvpaxxrlafhmy2cm5q._file
Verdict:
malicious
Similar samples:
4766063b1078d7f10cf8ba01b2a6116ecccd9a617f1ad2e0912a869d0c42772c
DCRat
5eed5d475bb5edd1c0a850f5f7466bd0d7f0e1041b348cabbc25993409df3c92
DCRat
7e65b2962bce542404085d763315b31a8d766410fa7bceeafb21f168024dd3e7
DCRat
8126b281072f428af30905d7c2fadee86ba76c7a9e8053264b463388cf301b46
DCRat
e0b4f5ccb3802b069b065ddb00b2362b16fcf50052ed81ec8f491247d8147a4b
DCRat
+ 35 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:dcrat family:xmrig infostealer miner rat spyware stealer
Link:
https://tria.ge/reports/230723-hw3gyseb21/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
DCRat payload
XMRig Miner payload
DcRat
Process spawned unexpected child process
Suspicious use of NtCreateUserProcessOtherParentProcess
xmrig
Unpacked files
SH256 hash:
35e04d9e2044cd47de9a916049080a51f44ac93a5b66735e0342a3471df09f06
MD5 hash:
35c52f3ce5ffb61d4989ea76c9420dfb
SHA1 hash:
28c28940802550a7c821ccc1a1c11c0e2250d01b
Link:
https://www.unpac.me/results/35c0a50f-27fb-4840-898f-34c8bca9d26d/
SH256 hash:
5af998eadaf766f821394c52cf9270a0c87a6c579d315782f78ac053b31a133b
MD5 hash:
6bcccc49d573e34edb2242d64ab26a31
SHA1 hash:
b9b3828daa659b9664b5334211d41824716be9e2
Link:
https://www.unpac.me/results/35c0a50f-27fb-4840-898f-34c8bca9d26d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5af998eadaf7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5af998eadaf766f821394c52cf9270a0c87a6c579d315782f78ac053b31a133b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/429487/

Comments