MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5fd5abeb26cdc364310d6e88bb4326d6801eba7dfebca2601fb0ad11797acdd6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5fd5abeb26cdc364310d6e88bb4326d6801eba7dfebca2601fb0ad11797acdd6
SHA3-384 hash: f4aa0ceca77ece7a606c3d03bc1bc326ef5472f59abb2e634765f4eb61b98a625db55a2162ec28da9f51a3c8965338e6
SHA1 hash: 884ddd5180e8c73eaaa0eae1f9d7d006d8f1318a
MD5 hash: e9f352055b65d3ef96dda92252dc1172
humanhash: massachusetts-spring-tango-asparagus
File name:injector_Cheat.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:468'830 bytes
First seen:2020-10-10 15:43:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (865 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 12288:0Qnk3GDYKGcblwtX+t4Y8Q+fuyf1/MabFS:IAOcZwXYMmyt/MGFS
Threatray 247 similar samples on MalwareBazaar
TLSH 27A4E102BAC588B2D573193259396B256D7CBD201F35DE6FA3E42D6DDB30180A634BB3
Reporter vm001cn
Tags:DCRat

Intelligence

File Origin
# of uploads :
1
# of downloads :
165
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69751/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file
Creating a process from a recently created file
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/487530
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus detection for dropped file
Drops PE files with benign system names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 296207 Sample: injector_Cheat.exe Startdate: 10/10/2020 Architecture: WINDOWS Score: 96 65 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->65 67 Antivirus detection for dropped file 2->67 69 .NET source code contains method to dynamically call methods (often used by packers) 2->69 71 5 other signatures 2->71 10 injector_Cheat.exe 3 6 2->10         started        13 oisAUWmkhGIutMC.exe 15 12 2->13         started        process3 dnsIp4 55 C:\drivercrt\driverperf.exe, PE32 10->55 dropped 17 wscript.exe 1 10->17         started        57 62.109.21.49, 49724, 49729, 49735 THEFIRST-ASRU Russian Federation 13->57 59 ipinfo.io 216.239.34.21, 443, 49728 GOOGLEUS United States 13->59 61 192.168.2.1 unknown unknown 13->61 87 Antivirus detection for dropped file 13->87 89 Machine Learning detection for dropped file 13->89 91 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 13->91 93 Tries to harvest and steal browser information (history, passwords, etc) 13->93 file5 signatures6 process7 signatures8 63 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 17->63 20 cmd.exe 1 17->20         started        process9 process10 22 driverperf.exe 14 20->22         started        26 conhost.exe 20->26         started        file11 47 C:\drivercrt\svchost.exe, PE32 22->47 dropped 49 C:\drivercrt\oisAUWmkhGIutMC.exe, PE32 22->49 dropped 51 C:\Users\Default\Videos\svchost.exe, PE32 22->51 dropped 53 2 other malicious files 22->53 dropped 73 Antivirus detection for dropped file 22->73 75 Machine Learning detection for dropped file 22->75 77 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 22->77 79 2 other signatures 22->79 28 RuntimeBroker.exe 3 22->28         started        31 schtasks.exe 1 22->31         started        33 schtasks.exe 1 22->33         started        35 3 other processes 22->35 signatures12 process13 signatures14 81 Antivirus detection for dropped file 28->81 83 Machine Learning detection for dropped file 28->83 85 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 28->85 37 conhost.exe 31->37         started        39 conhost.exe 33->39         started        41 conhost.exe 35->41         started        43 conhost.exe 35->43         started        45 conhost.exe 35->45         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5fd5abeb26cdc364310d6e88bb4326d6801eba7dfebca2601fb0ad11797acdd6/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-10-10 15:45:06 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=l7k2x2zgzxbwiminn2elwqzg22ab5ot5726keya7wcwrc6l2zxla._file
Verdict:
malicious
Similar samples:
10189128ff7ff4ae10111c65ca809615595304636a0d0e451ee34bf23ee900a2
DCRat
1ca9978db84d8cad7f6a8f838e106799352c386cfa3aee2bbefa195e7fabe166
DCRat
3a61804bb8302d42eb46c25a884cf50e7e6e383a9a48bfbfb1cfbe78ed2ed389
DCRat
6d833bd671f179c8dfdf89aac0bc77cd7bb49f82a98cbf5d8122a9d47fa98e9f
DCRat
a1c243083cc1870948216df122047ee1a8e473d0fab33283009c0d291567ea10
DCRat
a30dd99039152a76aacb5607d79b400098d9cd24350c0121fe4f7811177c0dbc
DCRat
b14306aa1789a4d6b9bfa4f8c9392033ef0fc70e584addad632135f7f832dec1
DCRat
dc8b1aa91228f69edb8b71fafd9231f6d6d55d50ea17e3a845a3014e419cdb60
DCRat
e34ce3660cbabe945aadb571016cbd7e73ca4a7baa6e9cd64a3615b6474ccdc8
DCRat
fba31181ed1957e81c452fa1e860414d3a2bd2da470074a32f196f873a37d9ad
DCRat
+ 237 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware
Link:
https://tria.ge/reports/201010-hy4qygjh5e/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
Drops file in Windows directory
Drops file in Program Files directory
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
5fd5abeb26cdc364310d6e88bb4326d6801eba7dfebca2601fb0ad11797acdd6
MD5 hash:
e9f352055b65d3ef96dda92252dc1172
SHA1 hash:
884ddd5180e8c73eaaa0eae1f9d7d006d8f1318a
Link:
https://www.unpac.me/results/6cac0d97-85f4-46b3-9fde-266b6a066219/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5fd5abeb26cdc364310d6e88bb4326d6801eba7dfebca2601fb0ad11797acdd6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/69751/

Comments