MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 803cc8d075f4b20e7eb720909a1f449039ecd6506d1861942e517f0805813917. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DCRat

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	803cc8d075f4b20e7eb720909a1f449039ecd6506d1861942e517f0805813917
SHA3-384 hash:	297f33a4088271ea9b01a5229293f6c3f2f73d544d37613c04049f1db281d6899132a2900b37fc03a84586deb027af6c
SHA1 hash:	fb18607f040e571823433e1fd88c46e6c201045c
MD5 hash:	f4505a78a0f9a416663a8ec3704de3c3
humanhash:	network-cola-stairway-ohio
File name:	rebornhack.exe
Download:	download sample
Signature	DCRat Create hunting rule
File size:	1'270'784 bytes
First seen:	2021-07-30 10:16:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'471 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:9re0JdaHFGqb8fQSNuaFJ7FKfVnSvwmjCuiqB+4:peg9VJ7FecpfiqA
Threatray	99 similar samples on MalwareBazaar
TLSH	T1294539023684ED01D069963BC9EF54184BA8ED423B63DB1FBE9E337D64953A74D0E1CA
dhash icon	70c8e8e8dab2070f (1 x DCRat)
Reporter	Anonymous
Tags:	DCRat exe

Intelligence

File Origin

# of uploads :

# of downloads :

586

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

rebornhack.exe

Verdict:

Malicious activity

Analysis date:

2021-07-30 10:17:32 UTC

Tags:

evasion stealer

Link:

https://app.any.run/tasks/b3e0c26a-18fd-40eb-bcae-2bbd479c1b6b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/175268/

Detection(s):

Win.Malware.Uztuby-9848412-0

Win.Packed.Uztuby-9851623-0

Win.Packed.Uztuby-9875336-0

Win.Packed.Uztuby-9877681-0

Win.Malware.Uztuby-9878616-0

Win.Packed.Uztuby-9878626-0

Win.Packed.Uztuby-9878629-0

Win.Packed.Uztuby-9878755-0

Win.Malware.Uztuby-9878756-0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/605a1c8c-8d59-4482-a8c8-b36180b6c457

Result

Threat name:

DCRat

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/824401

Signature

.NET source code references suspicious native API functions

Found malware configuration

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected DCRat

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/803cc8d075f4b20e7eb720909a1f449039ecd6506d1861942e517f0805813917/

Threat name:

ByteCode-MSIL.Backdoor.LightStone

Status:

Malicious

First seen:

2021-07-30 10:17:04 UTC

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Verdict:

unknown

DCRat

6718c04021467956503e7c53e7a6597fad77eafe88b080442d4168ab1081f32c

DCRat

7c60b5f7e4d95d3da4f309fb6c759669dbc852cd53ba4fe553432d90e4804d81

DCRat

844b9f86c1708ac12367aeef61e3116207fc430734449781d663755f9b4ffad8

DCRat

96151faabe100e36e7b72f1db0608fe92e4fabf89fee6567739f10a0e4147933

DCRat

aebfeecd15596e7b6b4a739157229d3a0e1ea320e9352e4e725663b5a4f367b1

DCRat

dec05061330cdd96419eb3cddade5f8198f6c30e17551842a0c644e1642ddea1

DCRat

f4c62f1bb28e7734697495b0125bcf943c6f528c297fa904865e58165e030a2a

DCRat

+ 89 additional samples on MalwareBazaar

Result

Malware family:

dcrat

Score:

10/10

Tags:

family:dcrat rat spyware stealer

Link:

https://tria.ge/reports/210730-kn5bgy662j/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

803cc8d075f4b20e7eb720909a1f449039ecd6506d1861942e517f0805813917

MD5 hash:

f4505a78a0f9a416663a8ec3704de3c3

SHA1 hash:

fb18607f040e571823433e1fd88c46e6c201045c

Link:

https://www.unpac.me/results/2638805a-e3e2-4b24-9bd0-26bf4e7dc495/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.64

Link:

https://yomi.yoroi.company/submissions/803cc8d075f4b20e7eb720909a1f449039ecd6506d1861942e517f0805813917

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/175268/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample