MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d5bbc1df6891d4e6d87702068fedfdccf2533e0fe6648aa12e62766cc20cb54. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d5bbc1df6891d4e6d87702068fedfdccf2533e0fe6648aa12e62766cc20cb54
SHA3-384 hash: c111f873758d10ed0153f334a715e2def7e22ead1689b4c3baa27c0dd9f8ee6a2bd757fbeb95bdae57b765f88d2f3492
SHA1 hash: e6543de93758224c0b5c7ab70e3dd0b0725a8484
MD5 hash: abd3e1d69b885d3f98afd426b2157a8f
humanhash: hawaii-dakota-fifteen-single
File name:XovLauncher.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:9'216 bytes
First seen:2022-11-07 08:51:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 192:5xyMD99zXjmYqLDv9lqvk+9xwcvkcFNtUqkAuY7vkadYdR:5xvD99jGLDv90k+9xTk6Nt/zuYDkeoR
Threatray 3 similar samples on MalwareBazaar
TLSH T1C41267106DDB10DEF2770B7067D9B6FB15A6E8B5151EB2F430019A884B31AD0CC71EB1
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
XovLauncher.exe
Verdict:
Malicious activity
Analysis date:
2022-11-07 08:13:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cb960641-93cd-4477-9e56-21b9a5e23f63

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/329769/
Detection(s):
SecuriteInfo.com.Variant.Marsilia.2083.10182.30291.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file
Using the Windows Management Instrumentation requests
Creating a window
DNS request
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Searching for the window
Searching for synchronization primitives
Running batch commands
Unauthorized injection to a recently created process
Changing the hosts file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6368c7335a664bb7b89c542e/reports/62766847-e5a5-4f95-b3a9-04fdd50033bb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/64605295-7b5f-4054-98f1-6386150206cf
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1107066
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Creates files in the system32 config directory
Drops PE files with benign system names
Encrypted powershell cmdline option found
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Powershell drops PE file
Protects its processes via BreakOnTermination flag
Sample is not signed and drops a device driver
Snort IDS alert for network traffic
Uses cmd line tools excessively to alter registry or file data
Uses powercfg.exe to modify the power settings
Very long command line found
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 739733 Sample: XovLauncher.exe Startdate: 07/11/2022 Architecture: WINDOWS Score: 100 89 Snort IDS alert for network traffic 2->89 91 Antivirus detection for dropped file 2->91 93 Antivirus / Scanner detection for submitted sample 2->93 95 7 other signatures 2->95 8 XovLauncher.exe 2 2->8         started        12 updaters.exe 2->12         started        14 cmd.exe 1 2->14         started        16 13 other processes 2->16 process3 file4 81 C:\Users\user\AppData\...\XovLauncher.exe.log, CSV 8->81 dropped 113 Very long command line found 8->113 115 Encrypted powershell cmdline option found 8->115 18 cmd.exe 8->18         started        20 powershell.exe 14 23 8->20         started        83 C:\Windows\Temp\amrjftof.tmp, PE32+ 12->83 dropped 85 C:\Program Filesbehaviorgraphoogle\Libs\WR64.sys, PE32+ 12->85 dropped 117 Protects its processes via BreakOnTermination flag 12->117 119 Modifies the context of a thread in another process (thread injection) 12->119 121 Adds a directory exclusion to Windows Defender 12->121 123 Sample is not signed and drops a device driver 12->123 25 cmd.exe 12->25         started        125 Uses cmd line tools excessively to alter registry or file data 14->125 127 Uses powercfg.exe to modify the power settings 14->127 129 Modifies power options to not sleep / hibernate 14->129 27 conhost.exe 14->27         started        35 10 other processes 14->35 131 Creates files in the system32 config directory 16->131 133 Changes security center settings (notifications, updates, antivirus, firewall) 16->133 29 MpCmdRun.exe 16->29         started        31 conhost.exe 16->31         started        33 conhost.exe 16->33         started        37 18 other processes 16->37 signatures5 process6 dnsIp7 39 ProviderServerSaves.exe 18->39         started        43 conhost.exe 18->43         started        87 bitbucket.org 104.192.141.1, 443, 49711, 49712 AMAZON-02US United States 20->87 63 C:\Users\user\AppData\Local\Temp\LicGet.exe, PE32+ 20->63 dropped 65 C:\Users\user\AppData\Local\...\LicChecke.exe, PE32 20->65 dropped 97 Powershell drops PE file 20->97 45 LicGet.exe 1 20->45         started        47 LicChecke.exe 3 6 20->47         started        49 powershell.exe 15 20->49         started        51 conhost.exe 20->51         started        99 Modifies power options to not sleep / hibernate 25->99 53 conhost.exe 25->53         started        55 powercfg.exe 25->55         started        57 conhost.exe 29->57         started        file8 signatures9 process10 file11 67 C:\hyperContainerserverHost\spoolsv.exe, PE32 39->67 dropped 69 C:\hyperContainerserverHost\WmiPrvSE.exe, PE32 39->69 dropped 71 C:\...\RuntimeBroker.exe, PE32 39->71 dropped 79 15 other malicious files 39->79 dropped 101 Antivirus detection for dropped file 39->101 103 Multi AV Scanner detection for dropped file 39->103 105 Machine Learning detection for dropped file 39->105 107 Drops PE files with benign system names 39->107 73 C:\Program Filesbehaviorgraphoogle\Chrome\updaters.exe, PE32+ 45->73 dropped 75 C:\Windows\System32\drivers\etc\hosts, ASCII 45->75 dropped 109 Modifies the hosts file 45->109 111 Adds a directory exclusion to Windows Defender 45->111 77 C:\...\ProviderServerSaves.exe, PE32 47->77 dropped 59 wscript.exe 1 47->59         started        61 conhost.exe 49->61         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8d5bbc1df6891d4e6d87702068fedfdccf2533e0fe6648aa12e62766cc20cb54/
Threat name:
ByteCode-MSIL.Downloader.PsDownload
Create hunting rule
Status:
Malicious
First seen:
2022-11-06 22:26:35 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
19 of 26 (73.08%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rvn3yhpwreou43mhoaqgr7w73thskm7a7zterkqs4ytwntbaznka._file
Verdict:
malicious
Similar samples:
1eb20f517c0c3630095eeb0553390e906ee423dad7b5082a7b29a0243972b180
DCRat
8744ee78fd8ec700b2d27545ad32e1e28f38f07c272d61bbcb8cff147cfb9bda
DCRat
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/221107-ksqebsbbaj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Blocklisted process makes network request
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/acda4f4d-fd0e-4761-af37-ed5b7561e827
Unpacked files
SH256 hash:
8d5bbc1df6891d4e6d87702068fedfdccf2533e0fe6648aa12e62766cc20cb54
MD5 hash:
abd3e1d69b885d3f98afd426b2157a8f
SHA1 hash:
e6543de93758224c0b5c7ab70e3dd0b0725a8484
Link:
https://www.unpac.me/results/5861a702-1089-4138-81c6-400c7e01fb59/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8d5bbc1df6891d4e6d87702068fedfdccf2533e0fe6648aa12e62766cc20cb54

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

DCRat

Executable exe 8d5bbc1df6891d4e6d87702068fedfdccf2533e0fe6648aa12e62766cc20cb54

(this sample)

DCRat

Executable exe 14a4f2112f6aba10f5b55d5421b36c7b669a8f5ed1bf1bb04a51c8edf451e908

Cape
Cape
https://www.capesandbox.com/analysis/329769/
  
Dropping
SHA256 14a4f2112f6aba10f5b55d5421b36c7b669a8f5ed1bf1bb04a51c8edf451e908
  
Dropping
MD5 755fe7ca06fd859a3168daff5c1c2245

Comments