MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 16


Intelligence 16 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5
SHA3-384 hash: c8d619ffed96f6b100b25b2b514b7a01097da5ba1bfbb1b123f1cff70c705bddefe5f2a415e26e611b478fbad8bc255e
SHA1 hash: 2276be9129c6e50c4bb38ebe34e209ced3538492
MD5 hash: 069d8565f208c71cb5496278392a3e8d
humanhash: black-bakerloo-football-freddie
File name:069d8565f208c71cb5496278392a3e8d.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:3'322'880 bytes
First seen:2024-06-12 10:25:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 49152:/QswzIgfd2FhMj0pPKEg5QlLCO0pMHBVlFP2R7Yt5ibo0/1lliJEq1pC1G:/9+kFOj+PKEaQlLNBDRtuo9Eq10
Threatray 289 similar samples on MalwareBazaar
TLSH T1BCF5E116A5D24F32C3645B358267413E92A2E7B73551EF1F351F2092A94BBF18E332A3
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://901329cm.n9shteam2.top/processorbaseUniversal.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
398
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5.exe
Verdict:
Malicious activity
Analysis date:
2024-06-12 10:27:29 UTC
Tags:
rat dcrat remote darkcrystal
Link:
https://app.any.run/tasks/697c1349-1e70-4fa1-9b4e-9966a3c959df

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Sanesecurity.Malware.30425.UnRegNetReactor.UNOFFICIAL
Create hunting rule

Win.Packed.Uztuby-10009381-0
Create hunting rule

Win.Packed.Uztuby-10015486-0
Create hunting rule

Win.Packed.Uztuby-10015902-0
Create hunting rule

Win.Packed.Uztuby-10017372-0
Create hunting rule

Win.Packed.Uztuby-10017373-0
Create hunting rule

Win.Packed.Zusy-10023527-0
Create hunting rule

Win.Dropper.HawkEye-10027238-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6669779ea2bce47be7d7fbdcwin7simulatehigh_evasion
Tags:
Encryption Execution Network Stealth Msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Creating a file in the Program Files subdirectories
Using the Windows Management Instrumentation requests
Launching a process
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Loading a suspicious library
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Query of malicious DNS domain
Connection attempt to an infection source
Enabling autorun by creating a file
Enabling autorun
Adding an exclusion to Microsoft Defender
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
net_reactor packed packed
Link:
https://www.filescan.io/uploads/666977bdeae3878d8f393e5b/reports/ec641000-f658-4c3b-99a3-c47537027ef6/overview
Verdict:
Malicious
Labled as:
Trojan.MSIL.Basic.8
Link:
https://www.hybrid-analysis.com/sample/9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/97e7b349-31d8-4dfe-ac15-1b63e161ad9c
Result
Threat name:
DCRat, PureLog Stealer, zgRAT
Create hunting rule
Detection:
malicious
Classification:
spre.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1455920
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Infects executable files (exe, dll, sys, html)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Snort IDS alert for network traffic
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1455920 Sample: hcxpxAtegZ.exe Startdate: 12/06/2024 Architecture: WINDOWS Score: 100 94 901329cm.n9shteam2.top 2->94 96 Snort IDS alert for network traffic 2->96 98 Multi AV Scanner detection for domain / URL 2->98 100 Antivirus detection for URL or domain 2->100 102 15 other signatures 2->102 10 hcxpxAtegZ.exe 2->10         started        13 hcxpxAtegZ.exe 7 43 2->13         started        16 lmwFxCZfVb.exe 14 27 2->16         started        19 6 other processes 2->19 signatures3 process4 dnsIp5 70 C:\Users\user\Desktop\zLWUHZHy.log, PE32 10->70 dropped 80 21 other malicious files 10->80 dropped 21 cmd.exe 10->21         started        82 26 other malicious files 13->82 dropped 112 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->112 114 Creates an undocumented autostart registry key 13->114 116 Creates multiple autostart registry keys 13->116 118 2 other signatures 13->118 24 cmd.exe 13->24         started        26 csc.exe 4 13->26         started        29 csc.exe 4 13->29         started        35 2 other processes 13->35 92 901329cm.n9shteam2.top 172.67.159.202, 49705, 49713, 49714 CLOUDFLARENETUS United States 16->92 72 C:\Users\user\Desktop\zxxdYxTq.log, PE32 16->72 dropped 74 C:\Users\user\Desktop\zHIKOnee.log, PE32 16->74 dropped 76 C:\Users\user\Desktop\yimcMvrd.log, PE32 16->76 dropped 84 19 other malicious files 16->84 dropped 31 cmd.exe 16->31         started        78 C:\Users\user\Desktop\zAuUTZDW.log, PE32 19->78 dropped 86 21 other malicious files 19->86 dropped 33 cmd.exe 19->33         started        file6 signatures7 process8 file9 104 Uses ping.exe to sleep 21->104 37 hcxpxAtegZ.exe 21->37         started        44 3 other processes 21->44 106 Uses ping.exe to check the status of other devices and networks 24->106 46 4 other processes 24->46 88 C:\Program Files (x86)\...\msedge.exe, PE32 26->88 dropped 108 Infects executable files (exe, dll, sys, html) 26->108 40 conhost.exe 26->40         started        42 cvtres.exe 1 26->42         started        90 C:\Windows\...\SecurityHealthSystray.exe, PE32 29->90 dropped 48 2 other processes 29->48 50 4 other processes 31->50 52 4 other processes 33->52 110 Loading BitLocker PowerShell Module 35->110 54 3 other processes 35->54 signatures10 process11 file12 62 C:\Users\user\Desktop\zQZMGOdJ.log, PE32 37->62 dropped 64 C:\Users\user\Desktop\yTxEkOOO.log, PE32 37->64 dropped 66 C:\Users\user\Desktop\udHNdROV.log, PE32 37->66 dropped 68 19 other malicious files 37->68 dropped 56 cmd.exe 37->56         started        process13 process14 58 conhost.exe 56->58         started        60 chcp.com 56->60         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5/
Threat name:
ByteCode-MSIL.Trojan.DCRat
Create hunting rule
Status:
Malicious
First seen:
2024-05-03 15:26:49 UTC
File Type:
PE (.Net Exe)
AV detection:
26 of 37 (70.27%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tv6ohxp7cb6fusavy6xjyrm2m22ulj3qnnkilvto3kfsz7oautcq._file
Verdict:
malicious
Similar samples:
00d68c00be975ed8b240541a7dcf269239738237d05d90408100abe2ea872baf
DCRat
0cc11a51bcc10b49a00e1334f2b463b8f6bd6f998b8d1e6f13fce93e9b577582
DCRat
138905d6721c1e6b174b6f61154a938565c9bd5c6b5b0abe8274054bf151da9c
DCRat
182a6cf870ad9d09e72bc36669dbd55306e964c11b7c63ebccd5406ae8e8556d
DCRat
21db4cd681095da19d677cceaa96d61b988bbbc3be10bb834011c87c9641185c
DCRat
610fcf9f81cac31fcd0ef2569daad2a4fd8a989d9295e663442a3049739f3395
DCRat
7ffce98ca59eb3dbbccf7a849444719d6077008f1568ea71edaff28a7e75f42a
DCRat
8b8de9e06ccd838b76c8b298faa321972978d09ac85ef82c9da08bb1cd08f90e
DCRat
+ 279 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
execution persistence
Link:
https://tria.ge/reports/240612-mgh7zs1dlh/
Behaviour
Creates scheduled task(s)
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in System32 directory
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Modifies WinLogon for persistence
Process spawned unexpected child process
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e1e5c6d4-efe9-47a2-b70a-4819c3790a8a
Unpacked files
SH256 hash:
9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5
MD5 hash:
069d8565f208c71cb5496278392a3e8d
SHA1 hash:
2276be9129c6e50c4bb38ebe34e209ced3538492
Detections:
INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Link:
https://www.unpac.me/results/185b3a59-fdef-4a27-bb5d-5e144d678e50/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9d7ce3ddff10/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9d7ce3ddff107c5a4815c7ae9c459a66b545a7706b5485d66eda8b2cfdc0a4c5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DotNet_Reactor
Create hunting rule
Author:@bartblaze
Description:Identifies .NET Reactor, which offers .NET code protection such as obfuscation, encryption and so on.
Rule name:INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with unregistered version of .NET Reactor
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:PureCrypter
Create hunting rule
Author:@bartblaze
Description:Identifies PureCrypter, .NET loader and obfuscator.
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments