MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f3d5f1a734020dabc57565c29f60194eb2a0fd1eba8fd7a041c6329d5803f78. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 7


Intelligence 7 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f3d5f1a734020dabc57565c29f60194eb2a0fd1eba8fd7a041c6329d5803f78
SHA3-384 hash: 733112e6e5f1cc4e0b028b513f2d21592c4b7520cf057217229341634c6305441da8185e7b4407b74fc732cbd3b18988
SHA1 hash: 29c2657971a98fb0d18d2546f77d105dc440ba5a
MD5 hash: f258c3d8bd93d4f7fbfcdadd83e22207
humanhash: video-papa-tennessee-equal
File name:F258C3D8BD93D4F7FBFCDADD83E22207.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'481'216 bytes
First seen:2021-06-18 00:41:43 UTC
Last seen:2021-06-18 01:50:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2e5467cba76f44a088d39f78c5e807b6 (131 x DCRat, 112 x njrat, 79 x RedLineStealer)
ssdeep 24576:z7D3vZ6g9gW5oLDyohSir0S1UYKnpaTbt5o0j4xm0QIhXYSnGltvBcN9ye3+hdMW:XDfZ6g9d5iDyuwS1UYKopj4sb/yuwNAD
Threatray 20 similar samples on MalwareBazaar
TLSH 4365339406D7CDCEF48C29FB71AD4A00600D60BD3A45E9B7D137AF96AC43569F06A33A
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://62.109.24.104/LinePollsqlGenerator.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://62.109.24.104/LinePollsqlGenerator.php https://threatfox.abuse.ch/ioc/135600/

Intelligence

File Origin
# of uploads :
2
# of downloads :
132
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
F258C3D8BD93D4F7FBFCDADD83E22207.exe
Verdict:
Malicious activity
Analysis date:
2021-06-18 01:00:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/74728e2c-1f6f-403f-b675-50176457a3eb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/166678/
Detection(s):
PUA.Win.Packer.EnigmaProtector-19
Create hunting rule

PUA.Win.Packer.EnigmaProtector-1
Create hunting rule

PUA.Win.Packer.EnigmaProtector-9852682-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8fc29773-1412-42e1-8a8a-49c5015beb22
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/804042
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Schedule system process
Tries to evade analysis by execution special instruction which cause usermode exception
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 436451 Sample: 5sF4QVZ67t.exe Startdate: 18/06/2021 Architecture: WINDOWS Score: 100 60 Found malware configuration 2->60 62 Antivirus detection for dropped file 2->62 64 Antivirus / Scanner detection for submitted sample 2->64 66 11 other signatures 2->66 7 5sF4QVZ67t.exe 12 21 2->7         started        11 System.exe 3 2->11         started        13 Memory Compression.exe 3 2->13         started        15 12 other processes 2->15 process3 file4 46 C:\Recovery\Memory Compression.exe, PE32 7->46 dropped 48 C:\ProgramData\...\RuntimeBroker.exe, PE32 7->48 dropped 50 C:\Program Files\...\System.exe, PE32 7->50 dropped 52 8 other malicious files 7->52 dropped 68 Detected unpacking (changes PE section rights) 7->68 70 Detected unpacking (overwrites its own PE header) 7->70 72 Creates an undocumented autostart registry key 7->72 76 5 other signatures 7->76 17 cmd.exe 7->17         started        20 schtasks.exe 1 7->20         started        22 schtasks.exe 1 7->22         started        24 3 other processes 7->24 74 Hides threads from debuggers 11->74 signatures5 process6 signatures7 56 Uses ping.exe to sleep 17->56 58 Uses ping.exe to check the status of other devices and networks 17->58 26 cbEmTAiCNizzMWaVB.exe 17->26         started        30 conhost.exe 17->30         started        32 chcp.com 17->32         started        34 PING.EXE 17->34         started        36 conhost.exe 20->36         started        38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        42 conhost.exe 24->42         started        44 conhost.exe 24->44         started        process8 dnsIp9 54 62.109.24.104, 80 THEFIRST-ASRU Russian Federation 26->54 78 Hides threads from debuggers 26->78 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5f3d5f1a734020dabc57565c29f60194eb2a0fd1eba8fd7a041c6329d5803f78/
Threat name:
ByteCode-MSIL.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2021-06-14 01:49:00 UTC
AV detection:
29 of 46 (63.04%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=l46v6gttiaqnvpcxkzoct5qbstvsud6r5oup26qedrrstvmah54a._file
Verdict:
suspicious
Similar samples:
25a5d91f4c867eb1436fdba263123537b96a582fd0f80dccf96537198678925e
DCRat
34abe88bc1e9dfe7fa77df43c9c9005bbd27843a40bdcd28431ab9dda7527c1f
DCRat
43fc7007823fa8f0e718a782ba2d85a5e63eb77a8efebc223e72d5671465e44f
DCRat
53e72c77ac1b8f4a54db9bb9b178720062176e09f026f7c9b0c9bba62ace16a5
DCRat
612140e7557e3936961100270c51e5943e256f375934c28d2ea3496475d473dc
DCRat
84ae6fe4cd4f1357409af9eeea51b0ceb8385242c1e67b1f22a51a9475f3ce01
DCRat
9a080e918c88adb048ffca38c0604318eee80e19be5a578186a63cdd64d45a41
DCRat
abe3031332bae1f6a27965882c14a88f740514103b8532f2fb41ccc925879e59
DCRat
bb13cf7f4d7f5db58730a4dd948093ab12ee0f65c2393784e43143913d51130b
DCRat
bd15b8dc3c9eeddcc7e33877876fb0d3856495b473df950f50bec4701db73d5c
DCRat
+ 10 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/210618-88wydasxsj/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
70cae8db94d3fdb11fa097b8221306d2feb5a6c03023a1199df02eacd051985c
MD5 hash:
7c69eaa55d4a5ca219aa7740490cf8dd
SHA1 hash:
c882cce6e25a677221450923bf212835d2ec1688
Link:
https://www.unpac.me/results/3ce1828f-75d5-4d80-a271-892c6af92792/
SH256 hash:
5f3d5f1a734020dabc57565c29f60194eb2a0fd1eba8fd7a041c6329d5803f78
MD5 hash:
f258c3d8bd93d4f7fbfcdadd83e22207
SHA1 hash:
29c2657971a98fb0d18d2546f77d105dc440ba5a
Link:
https://www.unpac.me/results/3ce1828f-75d5-4d80-a271-892c6af92792/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5f3d5f1a734020dabc57565c29f60194eb2a0fd1eba8fd7a041c6329d5803f78

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_smominru_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/166678/

Comments