MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 62c3e411841d0ddf28d849f32122c253d497412ae714c37565cec5804f6f0ffd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 16


Intelligence 16 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 62c3e411841d0ddf28d849f32122c253d497412ae714c37565cec5804f6f0ffd
SHA3-384 hash: e2d7dc7c3f1a01799e70ad53ce1b8f5d4757733faa9d09621957d3b481300b8ee7ddffa2fe4d86032d3fdbf04936bb3d
SHA1 hash: 1e3050c3956c2c3a1b17ac31f77efed1760226c8
MD5 hash: 2e21b261c44e2af8ffa91ce8b78a3fdc
humanhash: carbon-table-july-eighteen
File name:2e21b261c44e2af8ffa91ce8b78a3fdc.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:7'632'384 bytes
First seen:2024-10-15 05:00:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 53ff33fd5198e78ab468db682bbdf2b7 (3 x LummaStealer, 2 x RedLineStealer, 2 x DCRat)
ssdeep 196608:A9vLL+WhPUNrdgjd0DSKgRrDGg/gIC6uo5KtDgpr8:QaW+Nrda0DSrQqC6untE2
Threatray 1'397 similar samples on MalwareBazaar
TLSH T1FF76335636688467D252263B8EF5D2B56B7E351007F18FEF63C80F7EDB102A08524DBA
TrID 32.2% (.EXE) Win64 Executable (generic) (10522/11/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4504/4/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://89.110.93.210/eternalUpdate/vmUpdateauthUniversalwordpressDle.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://89.110.93.210/eternalUpdate/vmUpdateauthUniversalwordpressDle.php https://threatfox.abuse.ch/ioc/1336550/

Intelligence

File Origin
# of uploads :
1
# of downloads :
430
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
2e21b261c44e2af8ffa91ce8b78a3fdc.exe
Verdict:
Malicious activity
Analysis date:
2024-10-15 05:02:37 UTC
Tags:
rat dcrat remote darkcrystal miner silentcryptominer exfiltration netreactor wmi-base64 susp-powershell
Link:
https://app.any.run/tasks/64477e0d-236e-49ef-bae7-9d78bec72a04

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Jaik-10036454-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=670df7101d4ef219fa62b29f
Tags:
Powershell Autorun Cobalt
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
epmicrosoft_visual_cc fingerprint lolbin microsoft_visual_cc packed shell32
Link:
https://www.filescan.io/uploads/670df70f65ce6d2f389942f3/reports/038ef871-5690-49d1-9878-c5d9eaace9c8/overview
Verdict:
Malicious
Labled as:
Midie.Generic
Link:
https://www.hybrid-analysis.com/sample/62c3e411841d0ddf28d849f32122c253d497412ae714c37565cec5804f6f0ffd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XMRig Miner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6c2059ff-8750-4f50-978d-e4617b2f7649
Result
Threat name:
DCRat, PureLog Stealer, zgRAT
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1533739
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Found direct / indirect Syscall (likely to bypass EDR)
Infects executable files (exe, dll, sys, html)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Sigma detected: Disable power options
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1533739 Sample: vOG22UGT3M.exe Startdate: 15/10/2024 Architecture: WINDOWS Score: 100 89 Antivirus detection for dropped file 2->89 91 Multi AV Scanner detection for dropped file 2->91 93 Multi AV Scanner detection for submitted file 2->93 95 11 other signatures 2->95 8 vOG22UGT3M.exe 3 2->8         started        11 NdPZiqRQVSxCShwsYZWhzfFrm.exe 2->11         started        15 NdPZiqRQVSxCShwsYZWhzfFrm.exe 2->15         started        17 NdPZiqRQVSxCShwsYZWhzfFrm.exe 2->17         started        process3 dnsIp4 73 C:\Users\user\AppData\...\y3TOTXc4rt.exe, PE32+ 8->73 dropped 75 C:\Users\user\AppData\...\nqtZaaDcwD.exe, PE32 8->75 dropped 19 nqtZaaDcwD.exe 8 26 8->19         started        23 y3TOTXc4rt.exe 1 2 8->23         started        87 89.110.93.210, 49736, 49737, 49738 RECONNRU Ukraine 11->87 77 C:\Users\user\Desktop\zUvJxLpE.log, PE32 11->77 dropped 79 C:\Users\user\Desktop\qqmUNSZX.log, PE32 11->79 dropped 81 C:\Users\user\Desktop\YNEwfaKF.log, PE32 11->81 dropped 83 C:\Users\user\Desktop\RgXPRhKT.log, PE32 11->83 dropped 121 Tries to harvest and steal browser information (history, passwords, etc) 11->121 123 Found direct / indirect Syscall (likely to bypass EDR) 11->123 125 Multi AV Scanner detection for dropped file 15->125 127 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 15->127 file5 signatures6 process7 file8 61 C:\Users\user\Desktop\kTlVkFLW.log, PE32 19->61 dropped 63 C:\Users\user\Desktop\aTLnmHMm.log, PE32 19->63 dropped 65 C:\Users\user\Desktop\JELpolGS.log, PE32 19->65 dropped 71 8 other malicious files 19->71 dropped 97 Antivirus detection for dropped file 19->97 99 Multi AV Scanner detection for dropped file 19->99 101 Creates an undocumented autostart registry key 19->101 111 5 other signatures 19->111 25 cmd.exe 19->25         started        28 csc.exe 4 19->28         started        31 powershell.exe 23 19->31         started        39 8 other processes 19->39 67 C:\ProgramData\...\WindowsAutHost, PE32+ 23->67 dropped 69 C:\Windows\System32\drivers\etc\hosts, ASCII 23->69 dropped 103 Uses powercfg.exe to modify the power settings 23->103 105 Modifies the context of a thread in another process (thread injection) 23->105 107 Modifies the hosts file 23->107 109 Modifies power options to not sleep / hibernate 23->109 33 powershell.exe 23 23->33         started        35 cmd.exe 23->35         started        37 sc.exe 23->37         started        41 8 other processes 23->41 signatures9 process10 file11 113 Uses ping.exe to sleep 25->113 115 Uses ping.exe to check the status of other devices and networks 25->115 51 3 other processes 25->51 85 C:\Windows\...\SecurityHealthSystray.exe, PE32 28->85 dropped 117 Infects executable files (exe, dll, sys, html) 28->117 43 conhost.exe 28->43         started        45 cvtres.exe 1 28->45         started        119 Loading BitLocker PowerShell Module 31->119 53 2 other processes 31->53 47 conhost.exe 33->47         started        55 2 other processes 35->55 49 conhost.exe 37->49         started        57 4 other processes 39->57 59 8 other processes 41->59 signatures12 process13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/62c3e411841d0ddf28d849f32122c253d497412ae714c37565cec5804f6f0ffd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/62c3e411841d0ddf28d849f32122c253d497412ae714c37565cec5804f6f0ffd/
Threat name:
Win32.Trojan.Whispergate
Create hunting rule
Status:
Malicious
First seen:
2024-10-11 09:04:59 UTC
File Type:
PE (Exe)
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mlb6iemedug56kgyjhzsciwckpkjoqjk44kmg5lfz3cyat3pb76q._file
Verdict:
malicious
Label(s):
r77
Create hunting rule
r77_core
Create hunting rule
Similar samples:
026855ec0e8786cfb946a1c5f858190afc566b6f14d310fe37780c0ebe1e8608
DCRat
40d3609e3b05566993450c98a53b3d310ac0da5b2f6a7ce9dae3cff69ddc4f7f
DCRat
62c3e411841d0ddf28d849f32122c253d497412ae714c37565cec5804f6f0ffd
DCRat
c792057cb761da8872421a6c906c4481b260bdb5d27b86378efdd2af39319687
DCRat
error
DCRat
f61bd5315d71bbd27f704ce063f970dd2e3131e5484ecd940c5b14a74d08c620
DCRat
+ 1'387 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery evasion execution persistence spyware stealer
Link:
https://tria.ge/reports/241015-fnjnrswelb/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Power Settings
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Indicator Removal: Clear Windows Event Logs
Loads dropped DLL
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Drops file in Drivers directory
Sets service image path in registry
Stops running service(s)
Modifies WinLogon for persistence
Modifies security service
Process spawned unexpected child process
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/481bbac2-ea4c-46e5-9127-f3dd40371567
Unpacked files
SH256 hash:
2b93377ea087225820a9f8e4f331005a0c600d557242366f06e0c1eae003d669
MD5 hash:
d8bf2a0481c0a17a634d066a711c12e9
SHA1 hash:
7cc01a58831ed109f85b64fe4920278cedf3e38d
Link:
https://www.unpac.me/results/8dded92b-277e-4221-a3e6-4080bdb6158b/
SH256 hash:
7c95d3b38114e7e4126cb63aadaf80085ed5461ab0868d2365dd6a18c946ea3a
MD5 hash:
e9ce850db4350471a62cc24acb83e859
SHA1 hash:
55cdf06c2ce88bbd94acde82f3fea0d368e7ddc6
Link:
https://www.unpac.me/results/8dded92b-277e-4221-a3e6-4080bdb6158b/
SH256 hash:
f4e8ac39aa69ebe09c0a00d71729f5bcf9ca74f835fbffc385e339faa07d1c85
MD5 hash:
92fc1366f46eb9f4ba3748ab10fd538a
SHA1 hash:
9c1c032787d45624ebe6e38e56965cab7b00ca19
Detections:
INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/8dded92b-277e-4221-a3e6-4080bdb6158b/
Parent samples :
62c3e411841d0ddf28d849f32122c253d497412ae714c37565cec5804f6f0ffd
db6abd804f579744a973faec6dbbc1ae0bb69058b02e037f5955f4d39e15fe2e
SH256 hash:
398e488a0bd6542280cc9b8683c12b14ffcbc0222bfa73e86339f41519c4d7e9
MD5 hash:
204dbd22452b8c69ecc112c5e34e93f5
SHA1 hash:
b742f895f8f7069359befc5111f54b380c74cd06
Link:
https://www.unpac.me/results/8dded92b-277e-4221-a3e6-4080bdb6158b/
SH256 hash:
62c3e411841d0ddf28d849f32122c253d497412ae714c37565cec5804f6f0ffd
MD5 hash:
2e21b261c44e2af8ffa91ce8b78a3fdc
SHA1 hash:
1e3050c3956c2c3a1b17ac31f77efed1760226c8
Link:
https://www.unpac.me/results/8dded92b-277e-4221-a3e6-4080bdb6158b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/62c3e411841d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/62c3e411841d0ddf28d849f32122c253d497412ae714c37565cec5804f6f0ffd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_Malicious_VBScript_Base64
Create hunting rule
Author:daniyyell
Description:Detects malicious VBScript patterns, including Base64 decoding, file operations, and PowerShell.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW

Comments