MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d13624566c3183b38d810a3e0d8fd054978c6e8f1b6936e6d6c938377f97ac3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7d13624566c3183b38d810a3e0d8fd054978c6e8f1b6936e6d6c938377f97ac3
SHA3-384 hash: 86d93aec3c3682d18e8a76485373fa3d7fe0fc633c89e041e231ca1927356910b04897e581820ba574e4365b696931b1
SHA1 hash: 457868c8ecdb5081a5c6910fd2b2947b1575b0b2
MD5 hash: 1d5247a16acc2dc6dd2b5807224d0481
humanhash: south-moon-orange-chicken
File name:1d5247a16acc2dc6dd2b5807224d0481.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:7'879'680 bytes
First seen:2024-09-17 13:20:09 UTC
Last seen:2024-09-17 14:27:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bb2e9e2bb2989c645bb17e20b34e011e (3 x DCRat, 1 x CoinMiner, 1 x njrat)
ssdeep 196608:Vi0wziI7cSWKqCE7UZWsMDQWSirBCyRnD:Vi0hI7c28oIsMkir
Threatray 27 similar samples on MalwareBazaar
TLSH T14786236756690089D0E2C839C537FEF436FB1F2A9F81B47469D9BCC335329A1E6025A3
TrID 38.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
26.3% (.EXE) Win32 Executable (generic) (4504/4/1)
11.8% (.EXE) OS/2 Executable (generic) (2029/13)
11.6% (.EXE) Generic Win/DOS Executable (2002/3)
11.6% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
File icon (PE):PE icon
dhash icon e2b15c68b1b2a468 (1 x DCRat)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://a1031033.xsph.ru/L1nc0In.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://a1031033.xsph.ru/L1nc0In.php https://threatfox.abuse.ch/ioc/1325607/

Intelligence

File Origin
# of uploads :
2
# of downloads :
493
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
1d5247a16acc2dc6dd2b5807224d0481.exe
Verdict:
Malicious activity
Analysis date:
2024-09-17 13:22:09 UTC
Tags:
dcrat rat remote darkcrystal
Link:
https://app.any.run/tasks/5c005126-1793-48cc-b8bd-ee3332116769

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Siggen29.40604.9964.25480.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66e98241f72de0d131be919d
Tags:
Static Malware
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
hupigon lolbin packed packed packed shell32 vmprotect xpack
Link:
https://www.filescan.io/uploads/66e982415e9303a2942254f9/reports/851130ba-a236-4971-b630-749435622914/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/7d13624566c3183b38d810a3e0d8fd054978c6e8f1b6936e6d6c938377f97ac3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/b5f45e92-7a20-4384-aead-454587828797
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1512499
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Creates processes via WMI
Detected VMProtect packer
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Hides threads from debuggers
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Schedule system process
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: System File Execution Location Anomaly
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1512499 Sample: V7jRHFyQyF.exe Startdate: 17/09/2024 Architecture: WINDOWS Score: 100 61 a1031033.xsph.ru 2->61 73 Suricata IDS alerts for network traffic 2->73 75 Found malware configuration 2->75 77 Antivirus detection for URL or domain 2->77 79 18 other signatures 2->79 11 V7jRHFyQyF.exe 2 2->11         started        15 conhost.exe 2->15         started        17 cECslipKJDcQoQ.exe 2 2->17         started        19 15 other processes 2->19 signatures3 process4 file5 59 C:\Users\user\AppData\...\DCRatBuild.exe, PE32 11->59 dropped 87 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->87 89 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->89 91 Tries to evade analysis by execution special instruction (VM detection) 11->91 101 2 other signatures 11->101 21 DCRatBuild.exe 3 7 11->21         started        93 Antivirus detection for dropped file 15->93 95 Multi AV Scanner detection for dropped file 15->95 97 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->97 99 Machine Learning detection for dropped file 15->99 signatures6 process7 file8 55 C:\...\ReviewSessionmonitor.exe, PE32 21->55 dropped 57 C:\ChainserverbrokernetSvc\2JM9vAyKiI.vbe, data 21->57 dropped 81 Antivirus detection for dropped file 21->81 83 Machine Learning detection for dropped file 21->83 25 wscript.exe 1 21->25         started        28 wscript.exe 21->28         started        signatures9 process10 signatures11 85 Windows Scripting host queries suspicious COM object (likely to drop second stage) 25->85 30 cmd.exe 1 25->30         started        process12 process13 32 ReviewSessionmonitor.exe 8 14 30->32         started        36 conhost.exe 30->36         started        file14 47 C:\Windows\...\conhost.exe, PE32 32->47 dropped 49 C:\Users\Default\...\cECslipKJDcQoQ.exe, PE32 32->49 dropped 51 C:\Program Files\...\dasHost.exe, PE32 32->51 dropped 53 2 other malicious files 32->53 dropped 65 Antivirus detection for dropped file 32->65 67 Multi AV Scanner detection for dropped file 32->67 69 Creates an undocumented autostart registry key 32->69 71 7 other signatures 32->71 38 cECslipKJDcQoQ.exe 32->38         started        41 schtasks.exe 32->41         started        43 schtasks.exe 32->43         started        45 13 other processes 32->45 signatures15 process16 dnsIp17 63 a1031033.xsph.ru 141.8.192.126, 49736, 49737, 49739 SPRINTHOSTRU Russian Federation 38->63
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7d13624566c3183b38d810a3e0d8fd054978c6e8f1b6936e6d6c938377f97ac3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7d13624566c3183b38d810a3e0d8fd054978c6e8f1b6936e6d6c938377f97ac3/
Threat name:
Win32.Trojan.Vindor
Create hunting rule
Status:
Malicious
First seen:
2024-09-12 19:13:53 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pujwerlgymmdwogyccr6bwh5avexrrxi6g3jg3tnnsjyg57zplbq._file
Verdict:
malicious
Similar samples:
3e55b54015ebcc09dce584c6963caaa487f62492f015f7daa4c645bcb7bb1bcd
DCRat
417c9ed1b4c2d455f302dc83dd450cd9209e35f2c42ad5e3c3e2217fe7465ee2
DCRat
5f7afeeee13aaee6874a59a510b75767156f75d14db0cd4e1725ee619730ccc8
DCRat
7d13624566c3183b38d810a3e0d8fd054978c6e8f1b6936e6d6c938377f97ac3
DCRat
8d7e7c63b0739df784f5db7c063be7b3ef2d1f6b6b71d76e0ed1e5b6592512a6
DCRat
+ 17 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat discovery infostealer persistence rat vmprotect
Link:
https://tria.ge/reports/240917-qlm9aavfqk/
Behaviour
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
VMProtect packed file
DCRat payload
DcRat
Modifies WinLogon for persistence
Process spawned unexpected child process
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e6eb2e6c-71a5-4944-8e13-e8869e4d7cd2
Unpacked files
SH256 hash:
7d13624566c3183b38d810a3e0d8fd054978c6e8f1b6936e6d6c938377f97ac3
MD5 hash:
1d5247a16acc2dc6dd2b5807224d0481
SHA1 hash:
457868c8ecdb5081a5c6910fd2b2947b1575b0b2
Link:
https://www.unpac.me/results/ebb57bbd-2bce-4fdc-b4fa-54d4f1ceb1df/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7d13624566c3183b38d810a3e0d8fd054978c6e8f1b6936e6d6c938377f97ac3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA

Comments