MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88c642b1fa43b77487f3916dd95ac236189971475c3289c745dc45a739e6453f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88c642b1fa43b77487f3916dd95ac236189971475c3289c745dc45a739e6453f
SHA3-384 hash: 5050c3621c86f2587cadd32faef6156078b8da076f529b905dc576ab2037edf58849e1f647408288f229d421de4b957f
SHA1 hash: 0d506f9555aa68ddc5740652d477dd2e96a45e2b
MD5 hash: a6c8af48b5f7f850e5400cca5c288ae1
humanhash: sink-zulu-nebraska-thirteen
File name:a6c8af48b5f7f850e5400cca5c288ae1.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:457'216 bytes
First seen:2021-08-01 07:00:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7182b1ea6f92adbf459a2c65d8d4dd9e (5 x CoinMiner, 4 x RedLineStealer, 4 x DCRat)
ssdeep 12288:AbjDhu9TsJYZBuLuM1reSNsX3Qku9EFBtsOciz4q4:u1eTsJZPNsXPu92Bts64q4
Threatray 118 similar samples on MalwareBazaar
TLSH T139A4F097B2E051A8EAF582F6D9921342EB3074711714B3DB57B943B61B2B9C58F3C3A0
Reporter abuse_ch
Tags:DCRat exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'348
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a6c8af48b5f7f850e5400cca5c288ae1.exe
Verdict:
No threats detected
Analysis date:
2021-08-01 07:05:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3d80ddbe-1859-4d0c-84fa-e093c5257759

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175547/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34126398.28157.2351.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f43b59a9-b862-452e-8571-e60b62a20b94
Result
Threat name:
DCRat Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/825033
Signature
.NET source code contains very large strings
Antivirus detection for dropped file
Disables security and backup related services
Drops executables to the windows directory (C:\Windows) and starts them
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Schedule system process
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected BatToExe compiled binary
Yara detected DCRat
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 457445 Sample: wRMhuAGuqA.exe Startdate: 01/08/2021 Architecture: WINDOWS Score: 100 80 Antivirus detection for dropped file 2->80 82 Multi AV Scanner detection for dropped file 2->82 84 Multi AV Scanner detection for submitted file 2->84 86 8 other signatures 2->86 10 wRMhuAGuqA.exe 9 2->10         started        13 svchost.exe 1 2->13         started        15 svchost.exe 2->15         started        process3 file4 76 C:\Users\user\AppData\Local\Temp\...\extd.exe, PE32+ 10->76 dropped 17 cmd.exe 3 10->17         started        process5 process6 19 zxc.exe 1 18 17->19         started        23 vbn.exe 3 6 17->23         started        25 clo.exe 2 17->25         started        27 8 other processes 17->27 dnsIp7 62 C:\Windows\Client.exe, PE32 19->62 dropped 64 C:\Users\user\AppData\Local\...\nsProcess.dll, PE32 19->64 dropped 66 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 19->66 dropped 88 Multi AV Scanner detection for dropped file 19->88 90 Machine Learning detection for dropped file 19->90 92 Disables security and backup related services 19->92 30 cmd.exe 1 19->30         started        32 cmd.exe 19->32         started        34 cmd.exe 19->34         started        36 cmd.exe 19->36         started        68 C:\...\WinruntimedhcpNetcommon.exe, PE32 23->68 dropped 38 wscript.exe 23->38         started        94 Injects a PE file into a foreign processes 25->94 40 clo.exe 25->40         started        42 conhost.exe 25->42         started        78 cdn.discordapp.com 162.159.135.233, 443, 49743, 49749 CLOUDFLARENETUS United States 27->78 70 C:\Users\user\AppData\Local\Temp\...\zxc.exe, PE32 27->70 dropped 72 C:\Users\user\AppData\Local\Temp\...\vbn.exe, PE32 27->72 dropped 74 C:\Users\user\AppData\Local\Temp\...\clo.exe, PE32 27->74 dropped 96 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 27->96 file8 signatures9 process10 process11 44 net.exe 30->44         started        46 conhost.exe 30->46         started        48 conhost.exe 32->48         started        50 sc.exe 32->50         started        52 conhost.exe 34->52         started        54 sc.exe 34->54         started        56 conhost.exe 36->56         started        58 sc.exe 36->58         started        process12 60 net1.exe 44->60         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/88c642b1fa43b77487f3916dd95ac236189971475c3289c745dc45a739e6453f/
Threat name:
Win64.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-07-31 19:38:59 UTC
AV detection:
18 of 46 (39.13%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0284735896363aeae81486be25751824f82b385dd4b6150358ff9b68c36c71e2
DCRat
0389ffef740d3bd365f2b699ac006b478a5346a1dc2383e10fd5152771641c0b
DCRat
37b3a1d0c99b42d11596890640c076a18929f5087f924d22e9b751b3afd4f94c
DCRat
6da210965cd769856bbcb8bb501abf25c832f0f6a70e73240436629ce6362fa9
DCRat
c1f1b8f358e98ae14b424dd8d57e022b8dc68c7c5f14a8d3dea8f1e66601f351
DCRat
d700e68d1c067c7bb297805d8429aa95cde9b6ec484c490ebdb01fc9689b1a31
DCRat
f4c62f1bb28e7734697495b0125bcf943c6f528c297fa904865e58165e030a2a
DCRat
f60133f0545df116739879fd080e0fc688aece721a4123612ebaa479c2c551e0
DCRat
ff1cf221e44187ccf5382ba91b26991722b97d2dd0ef25ae0b5fda12425a4a93
DCRat
+ 108 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
suricata upx
Link:
https://tria.ge/reports/210801-3wb4h2jtln/
Behaviour
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Unpacked files
SH256 hash:
88c642b1fa43b77487f3916dd95ac236189971475c3289c745dc45a739e6453f
MD5 hash:
a6c8af48b5f7f850e5400cca5c288ae1
SHA1 hash:
0d506f9555aa68ddc5740652d477dd2e96a45e2b
Link:
https://www.unpac.me/results/6c1cdb5f-a99b-4d01-8786-4b08604234a3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.53
Link:
https://yomi.yoroi.company/submissions/88c642b1fa43b77487f3916dd95ac236189971475c3289c745dc45a739e6453f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe 88c642b1fa43b77487f3916dd95ac236189971475c3289c745dc45a739e6453f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1493959/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/175547/

Comments