MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6eae3d33dba2b7adc0cfd8678236bae7de59a758caaa4e017589b0c2a2e89a05. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DCRat

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	6eae3d33dba2b7adc0cfd8678236bae7de59a758caaa4e017589b0c2a2e89a05
SHA3-384 hash:	dc2bf0a4e0d1bb8ec8569f99f985b6d05a33c0643653b37ef54188d5fcbcfccfc846ce2508e6eda092e18de3fcbaf1d7
SHA1 hash:	b8a143845c9b23893142eb4538db6cdfffaf4d7c
MD5 hash:	3bb2936f2d1f65fab0359fab25fdf169
humanhash:	pasta-happy-grey-hawaii
File name:	HEUR-Backdoor.MSIL.LightStone.gen-6eae3d33dba.exe
Download:	download sample
Signature	DCRat Create hunting rule
File size:	1'263'104 bytes
First seen:	2022-12-30 15:35:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:Fmln1N8EDnmnX+xJ/vfrp7cwd4nh5b+4:Fk1vnzxVdKh5K
Threatray	3'193 similar samples on MalwareBazaar
TLSH	T189453A023684ED01D0699637C9DF44280BA8FD427B63DB1F7E9E33AC65963A75D0E1CA
TrID	47.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 20.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 8.4% (.SCR) Windows screen saver (13097/50/3) 6.8% (.EXE) Win64 Executable (generic) (10523/12/4) 4.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Reporter	abuse_ch
Tags:	DCRat exe

abuse_ch

DCRat C2:
http://82.146.54.148/Djangohtopdemo/poolanti/cutdatacut/screenlocalsearcherbin/Djangolimit/searcherrecord/programmessagescreen/Camgametrace/mobile/rulemessagemessage/php/demo/log/PhpapiUniversal.php

Intelligence

File Origin

# of uploads :

# of downloads :

190

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

HEUR-Backdoor.MSIL.LightStone.gen-6eae3d33dba.exe

Verdict:

Malicious activity

Analysis date:

2022-12-30 15:37:44 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e287694d-b839-40d5-ab3d-f63bb81553be

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

Creating a file in the system32 subdirectories

Launching a process

Creating a file in the Program Files subdirectories

Creating a file in the %temp% directory

Running batch commands

Creating a process with a hidden window

Creating a file

Sending a custom TCP request

Creating a process from a recently created file

Sending an HTTP GET request

DNS request

Unauthorized injection to a recently created process

Enabling autorun by creating a file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug anti-vm cmd.exe explorer.exe hacktool obfuscated packed stealer

Link:

https://www.filescan.io/uploads/63af0565dde391056ac0b81b/reports/803ae578-a4d4-4be3-9167-f4e04d9e84ff/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/16a9d683-6559-4712-a7ce-7f2a7bde31ff

Result

Threat name:

DCRat

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1143240

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Drops executables to the windows directory (C:\Windows) and starts them

Drops PE files with benign system names

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Sigma detected: Schedule system process

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected DCRat

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6eae3d33dba2b7adc0cfd8678236bae7de59a758caaa4e017589b0c2a2e89a05/

Threat name:

ByteCode-MSIL.Backdoor.LightStone

Status:

Malicious

First seen:

2021-07-17 03:57:09 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=n2xd2m63uk323qgp3btyenv247pftj2yzkve4alvrgymfixiticq._file

Verdict:

malicious

DCRat

346b769168c5fc8865428098350048f6e604a7a7bd5846bf03d99e4244663706

DCRat

4cced7c39444bc55a0cd79b0384b24517e355e0d70ab20019af96f2a7c181cd8

DCRat

64d84c15bad421b75dab9b7261020fef0773f2aaabcf9b04a1f286c1a7d81ff4

DCRat

7c60b5f7e4d95d3da4f309fb6c759669dbc852cd53ba4fe553432d90e4804d81

DCRat

aebfeecd15596e7b6b4a739157229d3a0e1ea320e9352e4e725663b5a4f367b1

DCRat

bb55fcf1625411295d87059f3116db4109ef0783504fbce9c5eca05ef72d45e0

DCRat

d1cdb6b3145e1b6d65ef1d8f5864484678e0436b34d8c8e674471332c11b099e

DCRat

+ 3'183 additional samples on MalwareBazaar

Result

Malware family:

dcrat

Score:

10/10

Tags:

family:dcrat infostealer rat

Link:

https://tria.ge/reports/221230-s1wv3sbb4x/

Behaviour

Creates scheduled task(s)

Modifies registry class

Modifies system certificate store

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Drops file in Windows directory

Drops file in System32 directory

Checks computer location settings

Executes dropped EXE

DCRat payload

DcRat

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/60155f74-50bb-406a-91c7-d2ecef76791e

Unpacked files

SH256 hash:

75c878f800678615f5236d5cb485faa703101deb014a2a3475ae9fa857488072

MD5 hash:

17824334881a725a39441f7e16d3fbdc

SHA1 hash:

43a15d2c1b482bc19ccad38a242e368345a2339f

Link:

https://www.unpac.me/results/ff617ed0-e433-40f0-bd01-c82e6ddd22eb/

SH256 hash:

6eae3d33dba2b7adc0cfd8678236bae7de59a758caaa4e017589b0c2a2e89a05

MD5 hash:

3bb2936f2d1f65fab0359fab25fdf169

SHA1 hash:

b8a143845c9b23893142eb4538db6cdfffaf4d7c

Link:

https://www.unpac.me/results/ff617ed0-e433-40f0-bd01-c82e6ddd22eb/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.50

Link:

https://yomi.yoroi.company/submissions/6eae3d33dba2b7adc0cfd8678236bae7de59a758caaa4e017589b0c2a2e89a05

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample