MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f2846d5daa6e5781427feb62144502ff1522b8250eadbfb7aa3602d04eac1fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f2846d5daa6e5781427feb62144502ff1522b8250eadbfb7aa3602d04eac1fb
SHA3-384 hash: f1dbe2da95aa531c1ff8ea0ba020217716756fe91a54bfad117f058c917e4e7c1ec0183fa553ee6407eb26fc8b68c10d
SHA1 hash: 5252599b2cba5d279dc1141c73c5f401267debbf
MD5 hash: 84249000b4b29f797de4c662eb539df1
humanhash: angel-idaho-mockingbird-equal
File name:84249000b4b29f797de4c662eb539df1
Download: download sample
Signature DCRat
Create hunting rule
File size:457'216 bytes
First seen:2021-07-30 23:35:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7182b1ea6f92adbf459a2c65d8d4dd9e (5 x CoinMiner, 4 x RedLineStealer, 4 x DCRat)
ssdeep 12288:QbjDhu9TbPpRoWX61PMdO+ADQXs0qFcYrGbyNDqW5F:e1eTbhRos6FMdlA0XtycVVE
TLSH T117A4E06BB1E05189CAF642F6DA921786E77134720751B3CB27B812B71B2B4D69F3C390
Reporter zbetcheckin
Tags:DCRat exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
552
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://dropmefiles.com/Nkqw8
Verdict:
Malicious activity
Analysis date:
2021-07-30 19:02:02 UTC
Tags:
trojan rat redline stealer loader
Link:
https://app.any.run/tasks/6a51b774-39a2-4a0c-8ce3-15e8cb5b5a1b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175387/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34126398.28157.2351.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/790ff1c9-2589-4f50-8d16-b185e78d17d8
Result
Threat name:
DCRat Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/824749
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Disables security and backup related services
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Powershell Defender Exclusion
Sigma detected: Schedule system process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses schtasks.exe or at.exe to add and modify task schedules
Wscript starts Powershell (via cmd or directly)
Yara detected BatToExe compiled binary
Yara detected DCRat
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 457160 Sample: gNdkKD0Y0t Startdate: 31/07/2021 Architecture: WINDOWS Score: 100 88 45.137.190.236, 49750, 49751, 49752 BITWEB-ASRU Russian Federation 2->88 90 92.63.192.242, 80 ITDELUXE-ASRU Russian Federation 2->90 104 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->104 106 Antivirus detection for dropped file 2->106 108 Multi AV Scanner detection for dropped file 2->108 110 9 other signatures 2->110 11 gNdkKD0Y0t.exe 9 2->11         started        signatures3 process4 file5 82 C:\Users\user\AppData\Local\Temp\...\extd.exe, PE32+ 11->82 dropped 14 cmd.exe 3 11->14         started        process6 signatures7 124 Wscript starts Powershell (via cmd or directly) 14->124 126 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 14->126 128 Uses schtasks.exe or at.exe to add and modify task schedules 14->128 130 Adds a directory exclusion to Windows Defender 14->130 17 welldone.exe 2 4 14->17         started        21 sys.exe 14->21         started        23 setup.exe 1 18 14->23         started        25 8 other processes 14->25 process8 dnsIp9 64 C:\Users\user\AppData\...\MicrosoftApi.exe, PE32+ 17->64 dropped 96 Multi AV Scanner detection for dropped file 17->96 98 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->98 100 Machine Learning detection for dropped file 17->100 28 MicrosoftApi.exe 1 5 17->28         started        66 C:\...\WinruntimedhcpNetcommon.exe, PE32 21->66 dropped 68 C:\Winruntimedhcp\VJt8Zy0BQ8pAy.bat, ASCII 21->68 dropped 32 wscript.exe 21->32         started        70 C:\Windows\Client.exe, PE32 23->70 dropped 72 C:\Users\user\AppData\Local\...\nsProcess.dll, PE32 23->72 dropped 74 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 23->74 dropped 102 Disables security and backup related services 23->102 35 cmd.exe 1 23->35         started        37 cmd.exe 23->37         started        92 cdn.discordapp.com 162.159.133.233, 443, 49738, 49746 CLOUDFLARENETUS United States 25->92 94 162.159.135.233, 443, 49743 CLOUDFLARENETUS United States 25->94 76 C:\Users\user\AppData\Local\...\welldone.exe, PE32+ 25->76 dropped 78 C:\Users\user\AppData\Local\Temp\...\sys.exe, PE32 25->78 dropped 80 C:\Users\user\AppData\Local\...\setup.exe, PE32 25->80 dropped file10 signatures11 process12 dnsIp13 84 C:\Users\user\AppData\...\tmpFC98.tmp.cmd, DOS 28->84 dropped 116 Multi AV Scanner detection for dropped file 28->116 118 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 28->118 120 Machine Learning detection for dropped file 28->120 39 cmd.exe 28->39         started        42 cmd.exe 28->42         started        86 192.168.2.1 unknown unknown 32->86 122 Wscript starts Powershell (via cmd or directly) 32->122 44 net.exe 35->44         started        46 conhost.exe 35->46         started        48 conhost.exe 37->48         started        50 sc.exe 37->50         started        file14 signatures15 process16 signatures17 112 Wscript starts Powershell (via cmd or directly) 39->112 114 Adds a directory exclusion to Windows Defender 39->114 52 conhost.exe 39->52         started        54 timeout.exe 39->54         started        56 powershell.exe 39->56         started        58 conhost.exe 42->58         started        60 timeout.exe 42->60         started        62 net1.exe 44->62         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5f2846d5daa6e5781427feb62144502ff1522b8250eadbfb7aa3602d04eac1fb/
Threat name:
Win64.Exploit.BypassUac
Create hunting rule
Status:
Malicious
First seen:
2021-07-30 20:05:22 UTC
AV detection:
19 of 46 (41.30%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
suricata upx
Link:
https://tria.ge/reports/210730-vaxvbzhd5j/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
suricata: ET MALWARE Generic gate[.].php GET with minimal headers
suricata: ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad
Unpacked files
SH256 hash:
5f2846d5daa6e5781427feb62144502ff1522b8250eadbfb7aa3602d04eac1fb
MD5 hash:
84249000b4b29f797de4c662eb539df1
SHA1 hash:
5252599b2cba5d279dc1141c73c5f401267debbf
Link:
https://www.unpac.me/results/e880d2f3-d5c4-4b6a-b8f0-e9ebf27a56a4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5f2846d5daa6e5781427feb62144502ff1522b8250eadbfb7aa3602d04eac1fb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe 5f2846d5daa6e5781427feb62144502ff1522b8250eadbfb7aa3602d04eac1fb

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1493960/
Cape
Cape
https://www.capesandbox.com/analysis/175387/

Comments


Avatar
zbet commented on 2021-07-30 23:35:35 UTC

url : hxxp://45.137.190.166/mine.exe