MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89c098f195e0becb85dbdba2a1f03a2a69081dc6c6364c3c0d4cef5cafc5bab2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 89c098f195e0becb85dbdba2a1f03a2a69081dc6c6364c3c0d4cef5cafc5bab2
SHA3-384 hash: ef7bf511d7fd71dd78df40a5cb15709d1be58a08c9703c0627a3217edfc8bd6cea97a8c111dc206f9395b43ef567f881
SHA1 hash: 560f538147a4ca5e6bfeadb3ef48ccde7070120c
MD5 hash: b99a438bb5300f4aee538098b882cdf8
humanhash: cardinal-iowa-edward-mockingbird
File name:SecuriteInfo.com.Trojan.GenericKD.47235777.28756.23303
Download: download sample
Signature DCRat
Create hunting rule
File size:2'994'688 bytes
First seen:2021-10-23 05:04:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash baa93d47220682c04d92f7797d9224ce (139 x RiseProStealer, 26 x Xtrat, 18 x CoinMiner)
ssdeep 49152:7wefjxPCEjdphA8ZLUj+khAHYevjm7rDeqYQjmCYi78jFA:7zqCA85UuHYeLu0PCYi78q
Threatray 44 similar samples on MalwareBazaar
TLSH T15FD5339A515B0AE4C7AB483C770FA0C159E6F951E57062C508908F32D2C6FE2ED66E3F
File icon (PE):PE icon
dhash icon 8269338ee8e82944 (1 x DCRat)
Reporter SecuriteInfoCom
Tags:DCRat exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
510
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Fri051e1e7444.exe
Verdict:
Malicious activity
Analysis date:
2021-10-22 16:14:16 UTC
Tags:
evasion trojan loader opendir kelihos rat redline stealer vidar raccoon backdoor dcrat
Link:
https://app.any.run/tasks/ad80c6a2-40d4-4cdb-a183-d6af3b0c97ba

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DCRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/199544/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.47235777.28756.23303.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Creating a file in the Program Files subdirectories
Using the Windows Management Instrumentation requests
Launching a process
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
dcrat packed
Link:
https://www.filescan.io/uploads/61739800db358dd15ed86d14/reports/9ab676e7-c562-43f7-9231-db24c34a1a17/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/50c16fa1-c1a4-4b57-9524-adc4a685c7a0
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/875575
Signature
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to steal Crypto Currency Wallets
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 508005 Sample: SecuriteInfo.com.Trojan.Gen... Startdate: 23/10/2021 Architecture: WINDOWS Score: 100 27 mecheats.ru 2->27 41 Multi AV Scanner detection for dropped file 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Yara detected DCRat 2->45 47 5 other signatures 2->47 7 SecuriteInfo.com.Trojan.GenericKD.47235777.28756.exe 4 18 2->7         started        11 WmiPrvSE.exe 3 2->11         started        13 oUUcotoXeYNFlZRKiJGflhvTt.exe 3 2->13         started        signatures3 process4 file5 19 C:\Windows\SysWOW64\wbem\...\WmiPrvSE.exe, PE32 7->19 dropped 21 C:\Windows\SysWOW64\...\RuntimeBroker.exe, PE32 7->21 dropped 23 C:\Users\Public\Downloads\RuntimeBroker.exe, PE32 7->23 dropped 25 6 other malicious files 7->25 dropped 49 Detected unpacking (changes PE section rights) 7->49 51 Detected unpacking (overwrites its own PE header) 7->51 53 Drops executables to the windows directory (C:\Windows) and starts them 7->53 67 2 other signatures 7->67 15 RuntimeBroker.exe 16 2 7->15         started        55 Multi AV Scanner detection for dropped file 11->55 57 Machine Learning detection for dropped file 11->57 59 Tries to evade analysis by execution special instruction which cause usermode exception 11->59 61 Tries to detect sandboxes and other dynamic analysis tools (window names) 13->61 63 Hides threads from debuggers 13->63 65 Tries to detect sandboxes / dynamic malware analysis system (registry check) 13->65 signatures6 process7 dnsIp8 29 mecheats.ru 81.177.135.81, 49769, 49770, 49771 RTCOMM-ASRU Russian Federation 15->29 31 192.168.2.1 unknown unknown 15->31 33 Multi AV Scanner detection for dropped file 15->33 35 Detected unpacking (changes PE section rights) 15->35 37 Detected unpacking (overwrites its own PE header) 15->37 39 7 other signatures 15->39 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/89c098f195e0becb85dbdba2a1f03a2a69081dc6c6364c3c0d4cef5cafc5bab2/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-10-22 15:44:35 UTC
AV detection:
18 of 43 (41.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
136eddfd86a8ee4a6e6c8ed4d82bc78e795e5f02ff5e347dd95893a9b011222f
DCRat
2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
DCRat
36f82bc3bcd30f18bb210cd10881cfe13e9a22e06e26930828bb6c8a951bfafe
DCRat
38b951946943714900dc29bb01ce025a84e0f52f095e2901e74a509b9499f2c6
DCRat
57e0906e3b6e13fe8db13cc06ce37d957bfc045afa6e99e9cf8b893ceb57d018
DCRat
864e6ddd9c09a95df11b80abbaa0b1a9a4fb890cb27ad21883f44853094bb0cd
DCRat
997e83ecf17b2ea03da19ee8897457445263f9a6daecc750b6430f952fe0e60c
DCRat
ada1c5359c35e6b70c5a2d5533f9d725f86a1e155c8486bfd2941c9b40478ea2
DCRat
b99887f1364955d2872bedadab15a15a51429ec8aeb111859d50e24a9fd31342
DCRat
f07c61b593733b1a8d2b35f0667a3d39988917f0ceaa73b474f9a559beddf992
DCRat
+ 34 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence spyware stealer
Link:
https://tria.ge/reports/211023-fqvh2scba8/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks BIOS information in registry
Identifies Wine through registry keys
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Process spawned unexpected child process
Unpacked files
SH256 hash:
7e7d277ee439aa3ac20595df84d788993352bef00826b1c1fb6ffe67c30165be
MD5 hash:
b4cb71460e8d1e0202ff9488c6f7c0a3
SHA1 hash:
56c270b475895762ad013cc27fa9d7426c61e410
Link:
https://www.unpac.me/results/0e880c4a-3c15-4b06-85c7-baa714ead861/
SH256 hash:
89c098f195e0becb85dbdba2a1f03a2a69081dc6c6364c3c0d4cef5cafc5bab2
MD5 hash:
b99a438bb5300f4aee538098b882cdf8
SHA1 hash:
560f538147a4ca5e6bfeadb3ef48ccde7070120c
Link:
https://www.unpac.me/results/0e880c4a-3c15-4b06-85c7-baa714ead861/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/89c098f195e0becb85dbdba2a1f03a2a69081dc6c6364c3c0d4cef5cafc5bab2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe 89c098f195e0becb85dbdba2a1f03a2a69081dc6c6364c3c0d4cef5cafc5bab2

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/199544/
  
URLhaus
https://urlhaus.abuse.ch/url/1709891/
  
Delivery method
Distributed via web download

Comments