MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b2b2b3289b07a43248eea48cf0a08be8aa47e7e7bea49e82c8de950394bfd6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b2b2b3289b07a43248eea48cf0a08be8aa47e7e7bea49e82c8de950394bfd6f
SHA3-384 hash: 58b856b0be5dbca29c76ab65c557d8992e8fe529cb53b2104587ced0c592f67d4e0e56a762482c81edcdd3e6f9dad8ef
SHA1 hash: a0ac80b1d2477d6f9f7cfb85f9b322f6eafe2a97
MD5 hash: 57c4fdb04571d1a33920632b28e0dfca
humanhash: jersey-lithium-california-wisconsin
File name:57c4fdb04571d1a33920632b28e0dfca.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'358'848 bytes
First seen:2021-10-17 07:10:21 UTC
Last seen:2021-10-17 08:18:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:26MpGtN31zP/d++4UgT3rMh/kxLIUSUxLqlyFO4HxyBPF34usARwCfNw:RMAtNt95/gksxLWIRFO4HxyB14cwCf
Threatray 25 similar samples on MalwareBazaar
TLSH T10C55CF696ACA5FA5D5DE0237E4E2FD09D3689965C3C1F70F06C302E114053BBAD8EA63
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://62.109.1.30/katanazeromultiplayer/ExternalProcessorgenerator.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://62.109.1.30/katanazeromultiplayer/ExternalProcessorgenerator.php https://threatfox.abuse.ch/ioc/234884/

Intelligence

File Origin
# of uploads :
2
# of downloads :
351
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
57c4fdb04571d1a33920632b28e0dfca.exe
Verdict:
Malicious activity
Analysis date:
2021-10-17 07:14:04 UTC
Tags:
trojan rat backdoor dcrat stealer
Link:
https://app.any.run/tasks/e72c63b8-92b4-4f99-8fdf-6cf07f4e37de

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Dcrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/197936/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37778355.30783.1993.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/616bcc8ba9d585e6d52b1ab9/reports/b95f3693-d3e3-4b04-82c6-32c75c9001d3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/821e94a7-3ac2-48b9-ab3b-7caf40699bdd
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/871727
Signature
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates files inside the volume driver (system volume information)
Creates multiple autostart registry keys
Creates processes via WMI
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 504156 Sample: lSriKaz4Rx.exe Startdate: 17/10/2021 Architecture: WINDOWS Score: 96 43 Multi AV Scanner detection for dropped file 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Machine Learning detection for sample 2->47 49 2 other signatures 2->49 7 lSriKaz4Rx.exe 20 32 2->7         started        11 sppsvc.exe 3 2->11         started        13 lSriKaz4Rx.exe 2 2->13         started        15 8 other processes 2->15 process3 file4 35 C:\Windows\...\ShellExperienceHost.exe, PE32 7->35 dropped 37 C:\Windows\System32\PCPKsp\dllhost.exe, PE32 7->37 dropped 39 C:\Windows\ShellNew\lSriKaz4Rx.exe, PE32 7->39 dropped 41 12 other malicious files 7->41 dropped 57 Creates an undocumented autostart registry key 7->57 59 Creates multiple autostart registry keys 7->59 61 Creates an autostart registry key pointing to binary in C:\Windows 7->61 67 3 other signatures 7->67 17 cmd.exe 7->17         started        63 Multi AV Scanner detection for dropped file 11->63 65 Machine Learning detection for dropped file 11->65 signatures5 process6 process7 19 lSriKaz4Rx.exe 17->19         started        23 conhost.exe 17->23         started        25 w32tm.exe 17->25         started        file8 27 C:\Windows\Tasks\RuntimeBroker.exe, PE32 19->27 dropped 29 C:\...\zVYkvKcoEXimguEXJdZQFrTWYUb.exe, PE32 19->29 dropped 31 C:\Recovery\smartscreen.exe, PE32 19->31 dropped 33 11 other malicious files 19->33 dropped 51 Creates files inside the volume driver (system volume information) 19->51 53 Creates multiple autostart registry keys 19->53 55 Drops executable to a common third party application directory 19->55 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5b2b2b3289b07a43248eea48cf0a08be8aa47e7e7bea49e82c8de950394bfd6f/
Threat name:
ByteCode-MSIL.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2021-10-12 20:46:33 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lmvswmujwb5egjeo5jem6cqix2fki7t6ppvet2bmrxuvaokl7vxq._file
Verdict:
malicious
Similar samples:
3a443ce680f9e02c1ad1e7802c4cb1662e98bcf162487234aae2cb02cb3d9d16
DCRat
42506f9e15ffdab6fce67556b602075ff779e2e84c6a40058a3941f0f71071b2
DCRat
5475722d8025caaffe4fcb7a434403c35db22761a98d31d0f202d9f682b8bd50
DCRat
6232bd70528f163b7aa8e8d76f6c4e63a0660eb112eabf2cc1859cc9e83ca755
DCRat
7c3f390f58bd6635171375748cbbba82ccb9502687004595799cd497c3fc8615
DCRat
ba319ab5c744553d08d3e981e76445631626be828e08bfa84487ae19434912b9
DCRat
cb1bfed9b946adbcb897876432268c9bc453b4b489a6df99f5812d5f71b95ea7
DCRat
eb41f0d7fa86d49349be3d44f29f71bb3b93091f2894eae69371e0d12310f6b9
DCRat
+ 15 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence spyware stealer
Link:
https://tria.ge/reports/211017-hzyceadbhq/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Reads user/profile data of web browsers
Executes dropped EXE
Modifies WinLogon for persistence
Process spawned unexpected child process
Unpacked files
SH256 hash:
f7d0a36d2f80e3034aa11258925dc93a0e623ed0ea2834e254d211af7aad5ee4
MD5 hash:
5d6030915e38c573ef67c0a03fb59cc1
SHA1 hash:
d144b106e07c4f501999aa3f316a3eeba9f67648
Link:
https://www.unpac.me/results/b7f900ab-a8a5-4cfc-bf18-f9924b8d9574/
Parent samples :
e0fa9c62364826149547d32728d06d155bdc6a54e90554695f8039bd7b73d036
54de552295e919218a7d43a1d0114bae169a79a1963113d615fd8bce428b385d
2774262a54ea6008d5b508f4d95eb811bd5d7dc50e1c0659d016ab33d966e729
aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9
26547389ff741eeba887fe39ec5f253d6597c03d1ffaf65c007ae5c40d897d5a
SH256 hash:
6101e83a3a6732ce8f69cd82b96830c44333616e7fa7ff6f0db2a57faf0f737d
MD5 hash:
a8b6b3290ea2b817a35248d4472e8cfd
SHA1 hash:
8c374d82babb61facddbbeeaf6a73913eaef8631
Link:
https://www.unpac.me/results/b7f900ab-a8a5-4cfc-bf18-f9924b8d9574/
Parent samples :
ca851ef16c519ecf785610e2db584a5b79f41c76916b28164e580e4fa1238715
2c9593138be6c386946e31595ccdd5550922ef3fdd843fbb5f1e83634c223a2a
327c974b8d165bfbdc0c4277bd3d68e24b6d55a6d970340662ff78468a9c4e29
5680eb1ffa1fac4f1c5a78024331ff7dd8982138d89d2df4ec56996b44c9cc99
8adfdf08e1d7883adcdf8228be4da62f9380c5ad99848be748432ecb49ff76c9
2ab659c780fbf4e657bc1170309f037bb7c36a5a70b005c2bce416a9e201e418
SH256 hash:
32f1b1f68822d72ff7d6696a05f320537143bb87865baa74355db41d09f0bb2a
MD5 hash:
db81ccd05d7560d3e3fc8a7844b5e4dd
SHA1 hash:
63b1548a7656979db84970ab15ac37cd09f2a615
Link:
https://www.unpac.me/results/b7f900ab-a8a5-4cfc-bf18-f9924b8d9574/
SH256 hash:
7e7d277ee439aa3ac20595df84d788993352bef00826b1c1fb6ffe67c30165be
MD5 hash:
b4cb71460e8d1e0202ff9488c6f7c0a3
SHA1 hash:
56c270b475895762ad013cc27fa9d7426c61e410
Link:
https://www.unpac.me/results/b7f900ab-a8a5-4cfc-bf18-f9924b8d9574/
SH256 hash:
5b2b2b3289b07a43248eea48cf0a08be8aa47e7e7bea49e82c8de950394bfd6f
MD5 hash:
57c4fdb04571d1a33920632b28e0dfca
SHA1 hash:
a0ac80b1d2477d6f9f7cfb85f9b322f6eafe2a97
Link:
https://www.unpac.me/results/b7f900ab-a8a5-4cfc-bf18-f9924b8d9574/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/5b2b2b3289b0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5b2b2b3289b07a43248eea48cf0a08be8aa47e7e7bea49e82c8de950394bfd6f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/197936/

Comments