MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 86072ecb9b50ffcfe121e8a6848d20c3bab8a3199a3e64b484608853f019487e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 86072ecb9b50ffcfe121e8a6848d20c3bab8a3199a3e64b484608853f019487e
SHA3-384 hash: 8bda0cc513c1ef2a61c308632500b074ece131a26362d178b80dddbe2bcd3a412f8b4063d897470869dc90d19fb603dc
SHA1 hash: 6a3a07abfc03db1d2a39b71f7ed74bf3767dc078
MD5 hash: d8f411a8ac121a651e56becbbc6f9722
humanhash: november-indigo-social-timing
File name:d8f411a8ac121a651e56becbbc6f9722
Download: download sample
Signature DCRat
Create hunting rule
File size:2'519'552 bytes
First seen:2021-10-14 18:26:47 UTC
Last seen:2021-10-14 18:55:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4328f7206db519cd4e82283211d98e83 (533 x RedLineStealer, 18 x Arechclient2, 15 x DCRat)
ssdeep 49152:JvC8531Ms2BPjbZaSZoi9fULabl6Eem+65JCybvGu5ZwFioWU7O8R++X3wbOEO:JvNMBPPZayhEyJCM+u5Zw4oWU7Oi++QF
Threatray 7'434 similar samples on MalwareBazaar
TLSH T16BC533B5B4A92328C61C3538457831340C97E2341BBB8D7FB99D40CBD7653A8CE6A7B6
Reporter zbetcheckin
Tags:32 DCRat exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
321
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d8f411a8ac121a651e56becbbc6f9722
Verdict:
Malicious activity
Analysis date:
2021-10-14 18:39:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3074c78b-6abf-4221-bcfe-a1c9d90b269a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
zgRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/197614/
Detection(s):
SecuriteInfo.com.Variant.Jaik.46999.28554.542.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Creating a file
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6168767cfd35fe780c40b2e6/reports/1c30d324-db96-46a2-8009-8b09b8981e18/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d26cda6b-7859-45a9-866c-e429971b7815
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/870716
Signature
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/86072ecb9b50ffcfe121e8a6848d20c3bab8a3199a3e64b484608853f019487e/
Threat name:
Win32.Backdoor.LightStone
Create hunting rule
Status:
Malicious
First seen:
2021-10-13 20:53:02 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0091825486c2d7cfdee49e98c6795be8d32a7f50a68e0d33542b1f047fb7ed7a
DCRat
1e39513b16501c1ff55a8a9d4c7b4b27ad067f3063002541b74b43e547ca8bf8
DCRat
47ecf9882778e09cd99f29b89aa75d4396e783c1ef5c8e931601d6c1957fb3e5
DCRat
5d372a19bbdae072e4fb4ff9deded30dbb40f4a74b54fbf77888a1523e864129
DCRat
61cafe16ef316179718e8827d2c0d37604639050956b95d1167ce4b1ac601948
DCRat
647c067b0bf2c8457c1d4153cf0635a662d709d881b231e06e7f307dbce46e12
DCRat
881809c7838ffda4805b1968e37c25dd5f1d9d02a6a2aadb7695705167d45cd2
DCRat
c88d90ab7e74383b46c41cc01a5ec7065c4e40cff87fb0c619bb7421704e8af9
DCRat
ff144f47f95b7b8f24573fc07b29562fdff19ea4a0d784e5c122995ab42095ad
DCRat
+ 7'424 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence themida trojan
Link:
https://tria.ge/reports/211014-w3r7fsahdm/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks whether UAC is enabled
Checks BIOS information in registry
Loads dropped DLL
Themida packer
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Process spawned unexpected child process
Unpacked files
SH256 hash:
7e7d277ee439aa3ac20595df84d788993352bef00826b1c1fb6ffe67c30165be
MD5 hash:
b4cb71460e8d1e0202ff9488c6f7c0a3
SHA1 hash:
56c270b475895762ad013cc27fa9d7426c61e410
Link:
https://www.unpac.me/results/ded9849a-7ea2-452b-b88b-a59f201611b0/
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/ded9849a-7ea2-452b-b88b-a59f201611b0/
SH256 hash:
86072ecb9b50ffcfe121e8a6848d20c3bab8a3199a3e64b484608853f019487e
MD5 hash:
d8f411a8ac121a651e56becbbc6f9722
SHA1 hash:
6a3a07abfc03db1d2a39b71f7ed74bf3767dc078
Link:
https://www.unpac.me/results/ded9849a-7ea2-452b-b88b-a59f201611b0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.74
Link:
https://yomi.yoroi.company/submissions/86072ecb9b50ffcfe121e8a6848d20c3bab8a3199a3e64b484608853f019487e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe 86072ecb9b50ffcfe121e8a6848d20c3bab8a3199a3e64b484608853f019487e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1678298/
Cape
Cape
https://www.capesandbox.com/analysis/197614/

Comments


Avatar
zbet commented on 2021-10-14 18:26:50 UTC

url : hxxp://103.159.133.159/store/items/110.exe