MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6955cfaea5b8a5781a1a8bfa69d07350269c5ed723165a29034aa70aa71da38f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DCRat

Vendor detections: 9

Intelligence 9 IOCs 1 YARA 4 File information Comments

SHA256 hash:	6955cfaea5b8a5781a1a8bfa69d07350269c5ed723165a29034aa70aa71da38f
SHA3-384 hash:	62dfc56aabd9dfbfed515e67f8046786cb12101167d7aca3568b0d493c156d0f1977def1578d3a9f7ea74bc600cb3dac
SHA1 hash:	aa27971372365d386d94d8e9286198d5604719b6
MD5 hash:	4e287af320bc81f985cb373f5c4a18e5
humanhash:	nitrogen-venus-lake-king
File name:	4e287af320bc81f985cb373f5c4a18e5.exe
Download:	download sample
Signature	DCRat Create hunting rule
File size:	1'911'325 bytes
First seen:	2022-03-21 15:38:07 UTC
Last seen:	2022-03-21 18:17:07 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	24576:y9gVOScvYg7z2bO5DWMHduf5VDmIjVM/K60iOLa:yp
Threatray	328 similar samples on MalwareBazaar
TLSH	T1C4959EFCF2EB0CE3CC092AD444119DC78B345637A7AC44B8154769CD4667BE5A0A8EAF
Reporter	abuse_ch
Tags:	DCRat exe

abuse_ch

DCRat C2:
http://trenbalon.cyberhost.ml/providerRequest.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://trenbalon.cyberhost.ml/providerRequest.php	https://threatfox.abuse.ch/ioc/434135/

Intelligence

File Origin

# of uploads :

# of downloads :

186

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/253669/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.39281641.16267.21256.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Sending a custom TCP request

Creating a window

Creating a file

Using the Windows Management Instrumentation requests

Launching a process

Creating a file in the Program Files subdirectories

Running batch commands

Creating a process with a hidden window

Creating a process from a recently created file

Forced shutdown of a system process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Enabling autorun by creating a file

Enabling autorun

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control.exe obfuscated overlay phoenix replace.exe

Link:

https://www.filescan.io/uploads/62389c21dfdfa8501cc78110/reports/c1d8e870-2dce-4b3e-8bf3-2c1a9eef390f/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b7e1987d-60b9-4df6-b153-28a60517b453

Result

Threat name:

DCRat Panda Stealer Phoenix Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/960918

Signature

.NET source code contains method to dynamically call methods (often used by packers)

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Creates an autostart registry key pointing to binary in C:\Windows

Creates an undocumented autostart registry key

Creates multiple autostart registry keys

Creates processes via WMI

Drops executable to a common third party application directory

Drops PE files with benign system names

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Sigma detected: File Created with System Process Name

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected DCRat

Yara detected Panda Stealer

Yara detected Phoenix Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6955cfaea5b8a5781a1a8bfa69d07350269c5ed723165a29034aa70aa71da38f/

Threat name:

ByteCode-MSIL.Infostealer.Phoenix

Status:

Malicious

First seen:

2022-03-19 18:36:36 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

18 of 27 (66.67%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=nfk47lvfxcsxqgq2rp5gtudtkatjyxwxemlfukidjktqvjy5uohq._file

Result

Malware family:

dcrat

Score:

10/10

Tags:

family:dcrat infostealer persistence rat spyware stealer suricata

Link:

https://tria.ge/reports/220321-s3pjsadfdl/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in Program Files directory

Drops file in Windows directory

Suspicious use of SetThreadContext

Adds Run key to start application

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

DcRat

Modifies WinLogon for persistence

Process spawned unexpected child process

suricata: ET MALWARE DCRAT Activity (GET)

Unpacked files

SH256 hash:

6955cfaea5b8a5781a1a8bfa69d07350269c5ed723165a29034aa70aa71da38f

MD5 hash:

4e287af320bc81f985cb373f5c4a18e5

SHA1 hash:

aa27971372365d386d94d8e9286198d5604719b6

Link:

https://www.unpac.me/results/11fdc5a2-416e-44ab-b6d3-5065821638da/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/6955cfaea5b8a5781a1a8bfa69d07350269c5ed723165a29034aa70aa71da38f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_Alfonoso Create hunting rule
Author:	ditekSHen
Description:	Detects Alfonoso / Shurk / HunterStealer infostealer

Rule name:	SUSP_XORed_URL_in_EXE Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	XOREngine_Misc_XOR_Func Create hunting rule
Author:	smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:	Use with care, https://twitter.com/cyb3rops/status/1237042104406355968