MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7711ab515c2fe669a40d2ee4883ededba88dff7c305008df222c2133469215e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7711ab515c2fe669a40d2ee4883ededba88dff7c305008df222c2133469215e8
SHA3-384 hash: efceaa102334e0ab92f637b7e781b2d182da689c99c223565ef7afc196da1c540075abc5796bbb091a8919f6b2bb9d0d
SHA1 hash: 1880ac009d18869d7f029bed378f7ef9276a7e0d
MD5 hash: aba88ae23ef00a022dd6a09105b5a740
humanhash: hydrogen-spaghetti-bakerloo-double
File name:aba88ae23ef00a022dd6a09105b5a740
Download: download sample
Signature DCRat
Create hunting rule
File size:560'128 bytes
First seen:2021-08-17 09:27:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:TqnOm3Yx8DHoPDZKGdXdsXEJiY6L6/prI+WK:T+OmRoPwJ0JiF+/51
Threatray 53 similar samples on MalwareBazaar
TLSH T13FC47C152BF86925F1BF5B79E4F06D6A8B72B81276A2EF4F048213D91E13740DC80B67
Reporter zbetcheckin
Tags:32 DCRat exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
aba88ae23ef00a022dd6a09105b5a740
Verdict:
Malicious activity
Analysis date:
2021-08-17 09:28:07 UTC
Tags:
evasion trojan rat backdoor dcrat stealer
Link:
https://app.any.run/tasks/44aa6eb5-b3d0-4697-8298-3ea1eca79727

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/179915/
Detection(s):
Win.Packed.Uztuby-9853721-0
Create hunting rule

Win.Packed.Uztuby-9864800-0
Create hunting rule

Win.Packed.Uztuby-9869253-0
Create hunting rule

Win.Packed.Uztuby-9873584-0
Create hunting rule

Win.Packed.Basic-9876200-0
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.AsyncRAT.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Connection attempt
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a window
DNS request
Reading critical registry keys
Creating a file in the %temp% directory
Deleting a recently created file
Creating a file
Sending a UDP request
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bac56bbd-d61f-48c3-8384-25ffaf1003b1
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/834229
Signature
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses the Telegram API (likely for C&C communication)
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 466660 Sample: MgTlzRI0yo Startdate: 17/08/2021 Architecture: WINDOWS Score: 88 38 Multi AV Scanner detection for submitted file 2->38 40 Yara detected DCRat 2->40 42 Machine Learning detection for sample 2->42 44 2 other signatures 2->44 7 MgTlzRI0yo.exe 19 6 2->7         started        process3 dnsIp4 26 94.250.250.235, 49739, 49740, 49741 THEFIRST-ASRU Russian Federation 7->26 28 api.telegram.org 149.154.167.220, 443, 49748, 49764 TELEGRAMRU United Kingdom 7->28 30 ipinfo.io 34.117.59.81, 443, 49744, 49758 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 7->30 24 C:\Users\user\AppData\...\MgTlzRI0yo.exe.log, ASCII 7->24 dropped 46 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->46 48 May check the online IP address of the machine 7->48 50 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->50 52 Tries to steal Crypto Currency Wallets 7->52 12 cmd.exe 1 7->12         started        file5 signatures6 process7 process8 14 MgTlzRI0yo.exe 189 12->14         started        18 w32tm.exe 1 12->18         started        20 conhost.exe 12->20         started        22 chcp.com 1 12->22         started        dnsIp9 32 192.168.2.1 unknown unknown 14->32 34 ipinfo.io 14->34 36 api.telegram.org 14->36 54 Tries to harvest and steal browser information (history, passwords, etc) 14->54 56 Tries to steal Crypto Currency Wallets 14->56 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7711ab515c2fe669a40d2ee4883ededba88dff7c305008df222c2133469215e8/
Threat name:
ByteCode-MSIL.Backdoor.LightStone
Create hunting rule
Status:
Malicious
First seen:
2021-08-16 22:08:17 UTC
AV detection:
25 of 46 (54.35%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
36d1497c536921f332a26558c9eff42f6502bf5ffec6710f4b50e35f98e627aa
DCRat
4a2bd74b2dc8b31da8d46035c9a77ee1eb20dabaf2affa04230849bcdb5e3bbf
DCRat
4e591ca9530450eca3c227d9292c3496d54d022c83d8b9c5372d91b97fed3203
DCRat
6a0d05477e23fc1152067fc51d50a044bccf0e0a0654dbae1864df792400e935
DCRat
9550c84ed4f760fd806bca85f64f00f877d676eeae5a1982c4bf815dd7d29ee5
DCRat
aaa3cda8d3f4bc7ff94a3e4f0fd37aced9d484b663bc15f198e6e25482f60443
DCRat
bdeb14ad6ce1ac8539d4b937c593ae706826fd3732ad506de5189521eea43643
DCRat
+ 43 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat rat spyware stealer
Link:
https://tria.ge/reports/210817-qt4y5n3v9s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
296c6aacdee2200eda07a33337818ef92d1214d1835443d2707d76727d5966b4
MD5 hash:
ede46c883113aeda0a0d2f56af1cceb2
SHA1 hash:
cf17d560abf8bcc1118fbfef77d953b0605f820c
Link:
https://www.unpac.me/results/6a98446f-b018-4f97-af78-bf506705856e/
Parent samples :
54de552295e919218a7d43a1d0114bae169a79a1963113d615fd8bce428b385d
2774262a54ea6008d5b508f4d95eb811bd5d7dc50e1c0659d016ab33d966e729
SH256 hash:
69e2e00d2984bd1c7bb42b972e43f56d61951a04e00834d05564240ddd198950
MD5 hash:
245c027f35b15118f47fe044c842d3cd
SHA1 hash:
567755f062684e09850321cdeaf95d4e0597dbba
Link:
https://www.unpac.me/results/6a98446f-b018-4f97-af78-bf506705856e/
Parent samples :
54de552295e919218a7d43a1d0114bae169a79a1963113d615fd8bce428b385d
2774262a54ea6008d5b508f4d95eb811bd5d7dc50e1c0659d016ab33d966e729
SH256 hash:
48d6be0ff082776c566a19459a5963f08d2c4d4a1c947de7a99b07560e236295
MD5 hash:
1ea5ecfbe64e314d9bb062046d5bfb75
SHA1 hash:
3ceeb4ea27ac76da489a55f242faf11ee0a2d2a2
Link:
https://www.unpac.me/results/6a98446f-b018-4f97-af78-bf506705856e/
Parent samples :
54de552295e919218a7d43a1d0114bae169a79a1963113d615fd8bce428b385d
2774262a54ea6008d5b508f4d95eb811bd5d7dc50e1c0659d016ab33d966e729
SH256 hash:
6ea4c210ee414f6238144474c3b4c2c87faf578a15eb3836afa0348ac0127195
MD5 hash:
05562e23866bd4ea62858f16c750d971
SHA1 hash:
0cf712a1afa8f4ead43fd11cb77a37f15ca1dad0
Link:
https://www.unpac.me/results/6a98446f-b018-4f97-af78-bf506705856e/
SH256 hash:
7711ab515c2fe669a40d2ee4883ededba88dff7c305008df222c2133469215e8
MD5 hash:
aba88ae23ef00a022dd6a09105b5a740
SHA1 hash:
1880ac009d18869d7f029bed378f7ef9276a7e0d
Link:
https://www.unpac.me/results/6a98446f-b018-4f97-af78-bf506705856e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7711ab515c2fe669a40d2ee4883ededba88dff7c305008df222c2133469215e8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:MALWARE_Win_AsyncRAT
Create hunting rule
Author:ditekSHen
Description:Detects AsyncRAT
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe 7711ab515c2fe669a40d2ee4883ededba88dff7c305008df222c2133469215e8

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1541317/
Cape
Cape
https://www.capesandbox.com/analysis/179915/

Comments


Avatar
zbet commented on 2021-08-17 09:27:21 UTC

url : hxxp://135.125.172.201/test.exe