MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a25a9e6507be33ffb55afd80d51a2f00b761417f17ad6fe5399e36e78226c61. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6a25a9e6507be33ffb55afd80d51a2f00b761417f17ad6fe5399e36e78226c61
SHA3-384 hash: a915c2965fe69837cc44f79fc27dff43a07d762025d5e7b795ff407cb6fa5b6f543631ce2fdfa00eb2396d65fe455a73
SHA1 hash: f5304f425592a5a1aa754ed56b9334e66c9fca8c
MD5 hash: 17431b6c6fd49fd5d2d54ca7a4a689eb
humanhash: winter-sweet-texas-bacon
File name:6a25a9e6507be33ffb55afd80d51a2f00b761417f17ad6fe5399e36e78226c61
Download: download sample
Signature DCRat
Create hunting rule
File size:985'283 bytes
First seen:2021-02-28 07:23:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4f67aeda01a0484282e8c59006b0b352 (51 x GuLoader, 9 x RemcosRAT, 9 x VIPKeylogger)
ssdeep 24576:nH+m7hEdjbZ4HwyIrC8R6d1FcMTQ2nE+s/X1m:neVnZuw5xUdkMTP+Y
Threatray 378 similar samples on MalwareBazaar
TLSH 21252322902050B3DB9853325E79D776D2ABDED41D28160BABF59FFB7E389724342903
Reporter JAMESWT_WT
Tags:DCRat

Intelligence

File Origin
# of uploads :
1
# of downloads :
402
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6a25a9e6507be33ffb55afd80d51a2f00b761417f17ad6fe5399e36e78226c61
Verdict:
Malicious activity
Analysis date:
2021-02-28 07:43:06 UTC
Tags:
trojan rat backdoor dcrat evasion
Link:
https://app.any.run/tasks/bfe91567-9943-4363-8fac-8afe0287153f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/119940/
Detection(s):
PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Creating a process from a recently created file
Creating a window
Searching for the window
Running batch commands
Creating a process with a hidden window
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Enabling the 'hidden' option for recently created files
Unauthorized injection to a recently created process
Setting a global event handler for the keyboard
Creating a file in the mass storage device
Stealing user critical data
Enabling autorun by creating a file
Enabling threat expansion on mass storage devices by creating the autorun.inf autorun file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/620840
Signature
.NET source code contains in memory code execution
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Creates files inside the volume driver (system volume information)
Drops executable to a common third party application directory
Drops PE files with benign system names
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 359413 Sample: beZvm96NND Startdate: 28/02/2021 Architecture: WINDOWS Score: 100 83 Found malware configuration 2->83 85 Antivirus detection for dropped file 2->85 87 Multi AV Scanner detection for dropped file 2->87 89 11 other signatures 2->89 14 beZvm96NND.exe 19 2->14         started        18 NJvgVQpkDJRSLNlKuYXezKn.exe 2->18         started        21 fontdrvhost.exe 2->21         started        process3 dnsIp4 71 C:\Users\user\AppData\Roaming\...\Firefox.exe, PE32 14->71 dropped 73 C:\Users\user\AppData\Roaming\1337\...\.exe, PE32 14->73 dropped 75 C:\Users\user\AppData\Local\...\System.dll, PE32 14->75 dropped 99 Drops executable to a common third party application directory 14->99 23     .exe 3 6 14->23         started        26 Firefox.exe 13 14->26         started        77 cy58497.tmweb.ru 5.23.51.195, 49730, 80 TIMEWEB-ASRU Russian Federation 18->77 79 ipinfo.io 216.239.32.21, 443, 49735 GOOGLEUS United States 18->79 81 192.168.2.1 unknown unknown 18->81 101 Antivirus detection for dropped file 18->101 103 Machine Learning detection for dropped file 18->103 105 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 18->105 107 Tries to harvest and steal browser information (history, passwords, etc) 18->107 file5 signatures6 process7 file8 59 C:\intoruntime\3jaQao6DzX2OUzKG3db2.exe, PE32 23->59 dropped 28 wscript.exe 1 23->28         started        61 C:\Users\user\AppData\Local\...\System.dll, PE32 26->61 dropped process9 process10 30 cmd.exe 1 28->30         started        process11 32 3jaQao6DzX2OUzKG3db2.exe 6 30->32         started        35 conhost.exe 30->35         started        file12 57 C:\intoruntime\runtimesaves.exe, PE32 32->57 dropped 37 wscript.exe 1 32->37         started        process13 process14 39 cmd.exe 1 37->39         started        process15 41 runtimesaves.exe 1 13 39->41         started        45 conhost.exe 39->45         started        file16 63 C:\intoruntime\fontdrvhost.exe, PE32 41->63 dropped 65 C:\Users\user\Music\smss.exe, PE32 41->65 dropped 67 C:\Users\user\AppData\...\WmiPrvSE.exe, PE32 41->67 dropped 69 3 other malicious files 41->69 dropped 91 Antivirus detection for dropped file 41->91 93 Creates files inside the volume driver (system volume information) 41->93 95 Machine Learning detection for dropped file 41->95 97 3 other signatures 41->97 47 schtasks.exe 41->47         started        49 schtasks.exe 41->49         started        51 schtasks.exe 41->51         started        53 3 other processes 41->53 signatures17 process18 process19 55 conhost.exe 47->55         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6a25a9e6507be33ffb55afd80d51a2f00b761417f17ad6fe5399e36e78226c61/
Threat name:
Win32.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2021-02-27 09:30:36 UTC
AV detection:
31 of 48 (64.58%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
026e27e7f9ed14e29d3f9feffd83f8c83b88291439c5f1376d264504b832c2ca
DCRat
3f1d6522a3dc9c69310b7c960788de537186c1256dae425eac2cf07c66dd3ab8
DCRat
4231d303577111382f2c3a44d1b4077b11dfe8125d851a5bda6ceebef5a0d5a4
DCRat
7125ff46ae7468216b1764b9e22b5811d4890f33a237776c6cbf22c8d8f09bbc
DCRat
75ea1220430a1db49377668f5fc4f38d4bde275076a4619ba41d1d54a62bc9b8
DCRat
95c7436558a5834379102b569f796d288fa04d8cbc52d7719709caec3cc7da09
DCRat
a8820beaeefff48ca74cc149e99807845bbbb9d5a3b02ce625ba778ba129afe9
DCRat
ada0493109fcfa84a332ad136f04a96ca7eadc323b57cdce2e6fe3066c37321e
DCRat
c0258a01a5881d1f5de632d7617a0e225173696db23fb99f72ea1c84e6be396c
DCRat
f5c3eeb8f2ea96aa8b70d7819ffef017bc30b76b58bc7e85ec796e8e8bb789b2
DCRat
+ 368 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware upx
Link:
https://tria.ge/reports/210228-g8tcg4nrhe/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
6e17879dc9cc54f58b9ff826a5bc64f8a6ffc7f0a1932db9516f428871690ffb
MD5 hash:
5c47db183fcf4ee0cc2364c4f7b322f8
SHA1 hash:
b59d228d2d22e0874aebda162f0e84d699ba9181
Link:
https://www.unpac.me/results/0acabaf4-d0eb-4244-a652-843742913eeb/
SH256 hash:
b8f5033f762e55c4d991ee5367c3d6d5caf9b64a7b081874576c5633dde5375f
MD5 hash:
78c11b5b9c402706b1a3e6ae77caf1ce
SHA1 hash:
8b0d2f251846bad4753bd81d9a92c84f8f47f2d9
Link:
https://www.unpac.me/results/0acabaf4-d0eb-4244-a652-843742913eeb/
SH256 hash:
2ffe1ac2555e822b4a383996168031e456f09f9cf3bb763fccee35be178cf58a
MD5 hash:
ba4c1dfe226d573d516c0529f263011e
SHA1 hash:
d726e947633ea75c09bba1cb6a14a79ce953be24
Link:
https://www.unpac.me/results/0acabaf4-d0eb-4244-a652-843742913eeb/
SH256 hash:
acb79c55b3b9c460d032a6f3aaf6c642bf8c1d450e23279d091cc0c6ca510973
MD5 hash:
2880bf3bbbc8dcaeb4367df8a30f01a8
SHA1 hash:
cb5c65eae4ae923514a67c95ada2d33b0c3f2118
Link:
https://www.unpac.me/results/0acabaf4-d0eb-4244-a652-843742913eeb/
SH256 hash:
227a4fc9408a44faa5eca608a974bd536814f97b8a4d28b4cac479727167b026
MD5 hash:
bd393029cc49b415b6c9aeb8a4936516
SHA1 hash:
c67fd92fffd18941bed41bfd6ac4f3b04fd123df
Link:
https://www.unpac.me/results/0acabaf4-d0eb-4244-a652-843742913eeb/
SH256 hash:
ada2f1b1bd5f70e1244c7ed20d33ecfbdc85825221a28d8d4d60a18a9bbf3b5c
MD5 hash:
7249d7e787faf606c97f162b93a62448
SHA1 hash:
2be8ed1664e6f97b996a1623e609e5e92f93bceb
Link:
https://www.unpac.me/results/0acabaf4-d0eb-4244-a652-843742913eeb/
SH256 hash:
2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
MD5 hash:
a4dd044bcd94e9b3370ccf095b31f896
SHA1 hash:
17c78201323ab2095bc53184aa8267c9187d5173
Link:
https://www.unpac.me/results/0acabaf4-d0eb-4244-a652-843742913eeb/
SH256 hash:
6a25a9e6507be33ffb55afd80d51a2f00b761417f17ad6fe5399e36e78226c61
MD5 hash:
17431b6c6fd49fd5d2d54ca7a4a689eb
SHA1 hash:
f5304f425592a5a1aa754ed56b9334e66c9fca8c
Link:
https://www.unpac.me/results/0acabaf4-d0eb-4244-a652-843742913eeb/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/119940/

Comments