MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a6673fb12d144ff4db370f33158e67c63a2e053685fc396b255141192a38abc6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a6673fb12d144ff4db370f33158e67c63a2e053685fc396b255141192a38abc6
SHA3-384 hash: 642ebeed690573a5a54b40323e9a4a87b1f2cd890bf9f3e0c974440ba8a75c41ee2f9b0d576c5aa11ede534a9159de77
SHA1 hash: b3cddf4fa00679931b6c235e2c207df0d6bcf3ee
MD5 hash: e4752abf0f20d4ffb3e6d560f0b717d6
humanhash: sodium-vegan-aspen-georgia
File name:E4752ABF0F20D4FFB3E6D560F0B717D6.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'150'695 bytes
First seen:2021-06-26 15:15:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:Z2G/nvxW3WtZJ26oa1ZHrgxsoQcnI6CTRr+H:ZbA3w2UHrgTH
Threatray 608 similar samples on MalwareBazaar
TLSH 6B357B527648CA21C0692637D5EF55144BBCFD00BB62CB1B7F9E336CA9613A36D0D2CA
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://185.246.64.221/bigloadprotect.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.246.64.221/bigloadprotect.php https://threatfox.abuse.ch/ioc/154227/

Intelligence

File Origin
# of uploads :
1
# of downloads :
167
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
E4752ABF0F20D4FFB3E6D560F0B717D6.exe
Verdict:
Malicious activity
Analysis date:
2021-06-26 15:19:17 UTC
Tags:
trojan rat backdoor dcrat evasion stealer
Link:
https://app.any.run/tasks/1ed5c23d-14b1-487c-969a-87e05f4de8f6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Malware.Uztuby-9848412-0
Create hunting rule

Win.Packed.Uztuby-9851623-0
Create hunting rule

Win.Trojan.Uztuby-9855059-0
Create hunting rule

Win.Ransomware.Clinix-9868408-0
Create hunting rule

Win.Packed.Uztuby-9871346-0
Create hunting rule

Win.Packed.Uztuby-9871347-0
Create hunting rule

Win.Packed.Uztuby-9872070-0
Create hunting rule

Win.Packed.Uztuby-9873018-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3fc0d15d-40cb-4787-93c8-79dfce7540e5
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
81 / 100
Link:
https://www.joesandbox.com/analysis/808469
Signature
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses the Telegram API (likely for C&C communication)
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 440880 Sample: 0c1fB2UIT4.exe Startdate: 26/06/2021 Architecture: WINDOWS Score: 81 70 Found malware configuration 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 Yara detected DCRat 2->74 76 3 other signatures 2->76 12 0c1fB2UIT4.exe 3 7 2->12         started        process3 file4 56 C:\Fontwin\FontwinReviewRuntime.exe, PE32 12->56 dropped 15 wscript.exe 1 12->15         started        17 wscript.exe 12->17         started        process5 process6 19 cmd.exe 1 15->19         started        process7 21 FontwinReviewRuntime.exe 16 122 19->21         started        26 conhost.exe 19->26         started        dnsIp8 58 185.246.64.221, 49726, 49728, 49729 THEFIRST-ASRU Russian Federation 21->58 60 api.telegram.org 149.154.167.220, 443, 49734 TELEGRAMRU United Kingdom 21->60 62 2 other IPs or domains 21->62 54 C:\Users\...\FontwinReviewRuntime.exe.log, ASCII 21->54 dropped 78 Multi AV Scanner detection for dropped file 21->78 80 May check the online IP address of the machine 21->80 82 Machine Learning detection for dropped file 21->82 84 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 21->84 28 cmd.exe 1 21->28         started        file9 signatures10 process11 signatures12 88 Uses ping.exe to sleep 28->88 90 Uses ping.exe to check the status of other devices and networks 28->90 31 FontwinReviewRuntime.exe 121 28->31         started        35 conhost.exe 28->35         started        37 PING.EXE 1 28->37         started        39 chcp.com 1 28->39         started        process13 dnsIp14 66 ipinfo.io 31->66 68 Tries to harvest and steal browser information (history, passwords, etc) 31->68 41 cmd.exe 31->41         started        signatures15 process16 signatures17 86 Uses ping.exe to sleep 41->86 44 FontwinReviewRuntime.exe 41->44         started        48 conhost.exe 41->48         started        50 chcp.com 41->50         started        52 PING.EXE 41->52         started        process18 dnsIp19 64 ipinfo.io 44->64 92 Tries to harvest and steal browser information (history, passwords, etc) 44->92 signatures20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a6673fb12d144ff4db370f33158e67c63a2e053685fc396b255141192a38abc6/
Threat name:
ByteCode-MSIL.Backdoor.LightStone
Create hunting rule
Status:
Malicious
First seen:
2021-06-20 10:24:52 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uztt7mjncrh7jwzxb4zrldthyy5c4bjwqx6ds2zfkfarskryvpda._file
Verdict:
malicious
Similar samples:
08acc4229c4d8424570ee93f20f7c60a0e9e0605f7dc8594d14d52209b72ce00
DCRat
2131b75617c740ddba1b808e0decc1e7054e34e6ce51c91bc4b848a52050e728
DCRat
6c3a2575d3325e7a0f520a5fefa0384855980461683e6c7463debbd668ab3258
DCRat
78710c49b37af00745534239b0d17c2e019a99f867492667592d131b77f0933f
DCRat
89867740e614b4cb55236ea82a1e487b906766f8cd806aacf6c0ef1413141b12
DCRat
bf6e3cf654738116a14be298176fc12524154ee51f9a2424fa117ee5b47be53a
DCRat
c77a79785de7336c777bb3d65e0914c39c265b81494b50c64ce835cb9712855e
DCRat
d31dcb27d98e4e58b3210b325121812395dc8f64c7c20398d8144346a10d7350
DCRat
e2c0f6c339713ba63202f13e1f788997d87b4d8ce38cb6bb8f214bc92020b77d
DCRat
e46a16ade0a00728c59210acdcd131a5bab46470d9acb07afb58917a1e287456
DCRat
+ 598 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer rat spyware stealer
Link:
https://tria.ge/reports/210626-k6vyg5g2vn/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
DCRat Payload
DcRat
Unpacked files
SH256 hash:
801b5bafc593721c805b146f980681ce9e2f7dd59fd1e85924778fb47f27153f
MD5 hash:
22606258c970d1de21ad0cc7c589ed8c
SHA1 hash:
39a6058692bbcbc37768cfb39b1d5d52dc8be601
Link:
https://www.unpac.me/results/5ff8bae7-f968-4542-acd9-f5fba9774df9/
SH256 hash:
a6673fb12d144ff4db370f33158e67c63a2e053685fc396b255141192a38abc6
MD5 hash:
e4752abf0f20d4ffb3e6d560f0b717d6
SHA1 hash:
b3cddf4fa00679931b6c235e2c207df0d6bcf3ee
Link:
https://www.unpac.me/results/5ff8bae7-f968-4542-acd9-f5fba9774df9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a6673fb12d144ff4db370f33158e67c63a2e053685fc396b255141192a38abc6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments