MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a6ca0d0f6c47f310778e8d3a82f96ce6b6e70e1248a17f73fda6dff59653b761. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 17


Intelligence 17 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a6ca0d0f6c47f310778e8d3a82f96ce6b6e70e1248a17f73fda6dff59653b761
SHA3-384 hash: 138e318b99db656f572643093127b851f7201bd141c5f6f8e96c42a6601ed53c6c422d07615afe61bab4d61283513147
SHA1 hash: 734fcf4466cb74f6355fedc7d91377f3a14bc384
MD5 hash: 36414c38ff6a43f76841281d0092fa6b
humanhash: oranges-salami-oscar-illinois
File name:36414C38FF6A43F76841281D0092FA6B.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:954'880 bytes
First seen:2024-08-28 07:45:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d5d9d937853db8b666bd4b525813d7bd (40 x DCRat, 28 x njrat, 5 x RedLineStealer)
ssdeep 24576:ykUxIMcP0X0yAy7+Wb7+cVWtHaD5aaN+2ehZk/9J:y3p9h+daW2+wJ
Threatray 1'015 similar samples on MalwareBazaar
TLSH T164152396A7BB1F3DE6C1C3B580F6CAE1474B0C40B461196B06C279DBB6B67D09A409F3
TrID 83.6% (.EXE) Win32 Executable MS Visual C++ 4.x (134693/65)
4.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.7% (.EXE) Win32 Executable (generic) (4504/4/1)
1.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
File icon (PE):PE icon
dhash icon f0809296969280f0 (1 x DCRat)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://a1021266.xsph.ru/L1nc0In.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://a1021266.xsph.ru/L1nc0In.php https://threatfox.abuse.ch/ioc/1316758/

Intelligence

File Origin
# of uploads :
1
# of downloads :
419
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
36414C38FF6A43F76841281D0092FA6B.exe
Verdict:
Malicious activity
Analysis date:
2024-08-28 07:46:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/476e8070-a427-4599-80fe-35b70bf2f886

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.Poison-8692
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66ced5bcf1a57bfb70912c95
Tags:
Execution Network Other Stealth Trojan Poison Ivy
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin overlay packed poison shell32 xorist
Link:
https://www.filescan.io/uploads/66ced5bfb854095a010b7720/reports/b96c076a-d4ce-4fa1-892c-8a5568a0e943/overview
Verdict:
Malicious
Labled as:
Trojan.Poison
Link:
https://www.hybrid-analysis.com/sample/a6ca0d0f6c47f310778e8d3a82f96ce6b6e70e1248a17f73fda6dff59653b761
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
KeyBase
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c0ed99a5-668d-43f0-a25a-5fa4c6894712
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1500362
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains VNC / remote desktop functionality (version string found)
Creates processes via WMI
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Schedule system process
Suricata IDS alerts for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1500362 Sample: LWZyUFvVh1.exe Startdate: 28/08/2024 Architecture: WINDOWS Score: 100 57 Suricata IDS alerts for network traffic 2->57 59 Found malware configuration 2->59 61 Antivirus detection for dropped file 2->61 63 12 other signatures 2->63 10 LWZyUFvVh1.exe 10 2->10         started        process3 file4 47 C:\Users\user\AppData\Local\...\VfxClate.exe, PE32 10->47 dropped 49 C:\Users\user\AppData\...\CapCutPort.exe, PE32 10->49 dropped 75 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 10->75 77 Contains VNC / remote desktop functionality (version string found) 10->77 14 VfxClate.exe 3 6 10->14         started        18 CapCutPort.exe 13 10->18         started        signatures5 process6 file7 51 C:51VDGerofce\msPortruntime.exe, PE32 14->51 dropped 53 C:53VDGerofce53uAYsvyL.vbe, data 14->53 dropped 79 Antivirus detection for dropped file 14->79 81 Machine Learning detection for dropped file 14->81 83 Contains VNC / remote desktop functionality (version string found) 14->83 20 wscript.exe 1 14->20         started        55 C:\Users\user\AppData\Local\...\System.dll, PE32 18->55 dropped signatures8 process9 signatures10 65 Windows Scripting host queries suspicious COM object (likely to drop second stage) 20->65 23 cmd.exe 1 20->23         started        process11 process12 25 msPortruntime.exe 1 18 23->25         started        29 conhost.exe 23->29         started        file13 39 C:\Windows\Help\Help\vFEjpqtbFnWoKzXxYc.exe, PE32 25->39 dropped 41 C:\Recovery\vFEjpqtbFnWoKzXxYc.exe, PE32 25->41 dropped 43 C:\Recovery\StartMenuExperienceHost.exe, PE32 25->43 dropped 45 4 other malicious files 25->45 dropped 67 Antivirus detection for dropped file 25->67 69 Multi AV Scanner detection for dropped file 25->69 71 Machine Learning detection for dropped file 25->71 73 3 other signatures 25->73 31 schtasks.exe 25->31         started        33 schtasks.exe 25->33         started        35 schtasks.exe 25->35         started        37 19 other processes 25->37 signatures14 process15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a6ca0d0f6c47f310778e8d3a82f96ce6b6e70e1248a17f73fda6dff59653b761
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a6ca0d0f6c47f310778e8d3a82f96ce6b6e70e1248a17f73fda6dff59653b761/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-08-22 17:57:38 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
36 of 38 (94.74%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u3fa2d3mi7zra54oru5if6lm423oodqsjcqx6475u3p7lfstw5qq._file
Verdict:
malicious
Similar samples:
78e05cedaa8ac3d3361793ab8b19b6ba2147ea99cd6e406720e90dc5474fcda0
DCRat
821cb2141c54e7f85c771ffb713132c64ab34c42d7dc495d932d4048349ecf19
DCRat
a083297276d53c1ea773b6a44715daa36259a8a9efcbc9c18818903c25663847
DCRat
ac0b3ac885140d67aa6dc474ab2daad2aa726106007cae766fafe873b0419cc1
DCRat
+ 1'005 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat discovery infostealer rat
Link:
https://tria.ge/reports/240828-jlylpasajp/
Behaviour
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
DCRat payload
DcRat
Process spawned unexpected child process
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d08737ec-4af4-4ad3-8985-2a974608b93f
Unpacked files
SH256 hash:
e9ba0a0801d571c96ac90117b778445fc12384bf0a78e47e9e400c40f1d79796
MD5 hash:
b0beba727712bdda00e44c53cacc01bd
SHA1 hash:
f7cbc290482f93eeb281c6bb036d842c0b0fd99e
Link:
https://www.unpac.me/results/5824306d-0926-499a-867f-f3f368219d20/
SH256 hash:
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
MD5 hash:
132e6153717a7f9710dcea4536f364cd
SHA1 hash:
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
Link:
https://www.unpac.me/results/5824306d-0926-499a-867f-f3f368219d20/
SH256 hash:
227a4fc9408a44faa5eca608a974bd536814f97b8a4d28b4cac479727167b026
MD5 hash:
bd393029cc49b415b6c9aeb8a4936516
SHA1 hash:
c67fd92fffd18941bed41bfd6ac4f3b04fd123df
Link:
https://www.unpac.me/results/5824306d-0926-499a-867f-f3f368219d20/
SH256 hash:
c5ab2926c268257122d0342739e73573d7eeda34c861bc7a68a02cbc69bd41af
MD5 hash:
a88baad3461d2e9928a15753b1d93fd7
SHA1 hash:
bb826e35264968bbc3b981d8430ac55df1e6d4a6
Link:
https://www.unpac.me/results/5824306d-0926-499a-867f-f3f368219d20/
SH256 hash:
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
MD5 hash:
bf712f32249029466fa86756f5546950
SHA1 hash:
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
Link:
https://www.unpac.me/results/5824306d-0926-499a-867f-f3f368219d20/
SH256 hash:
ada2f1b1bd5f70e1244c7ed20d33ecfbdc85825221a28d8d4d60a18a9bbf3b5c
MD5 hash:
7249d7e787faf606c97f162b93a62448
SHA1 hash:
2be8ed1664e6f97b996a1623e609e5e92f93bceb
Link:
https://www.unpac.me/results/5824306d-0926-499a-867f-f3f368219d20/
SH256 hash:
0a70cc4b93d87ecd93e538cfbed7c9a4b8b5c6f1042c6069757bda0d1279ed06
MD5 hash:
55a723e125afbc9b3a41d46f41749068
SHA1 hash:
01618b26fec6b8c6bdb866e6e4d0f7a0529fe97c
Link:
https://www.unpac.me/results/5824306d-0926-499a-867f-f3f368219d20/
SH256 hash:
b11ad1adfa96eacf5f18cf87785884947a6d35a1baebf4f20f16402b04d5109f
MD5 hash:
89bf0f7e9adf290c6d571eccf79206a9
SHA1 hash:
65f95791234ff93bc3e35f1d35d7a6664872dc56
Detections:
win_xorist_auto
Create hunting rule
Link:
https://www.unpac.me/results/5824306d-0926-499a-867f-f3f368219d20/
Parent samples :
d5775aecd2e8d149e2b9ba576ddc2db3624a974cafc8fc1df318226fc2c6d4b4
8e997bef9ad61722cb7b782da93b7373acd19dbdc4cb91b47e80280e2100b6a3
5ba1b028da2c0e52c38c7a55bf1e7952cc50c907576ec2f22b6a25d691dde2d6
be15d47389920ab9637eefc24bbf6c191607013a3d2608c1243a377aacb5d4ce
f027301d00c6bc4b1c87e5e3266775f395907fa04e2c768b7082381d60880f82
b1088573c2e783e97fb07ccf1d8d8e9372ccd8983cc07c7ee9c6989a3844b334
e5c9d1b6f77188c03e94713b41f00afc6d12e6f82daf3604d5f34c584c2389ff
45e1440acf3453915252d0d61ffcee6fd96170ccf2323c16178dfaaa186565f8
1a659b2d6922bd1ea186c53148094c26733368e9099ea037a83912c02a59d410
f733fbe95a7fe8a2c0ef459b05fed88b7a295de5e39c591bf62d3e0a5575e6fc
658b0a01404144b5da03574e2a05b6c02030baa2276b9e047174c6ccb3e8918d
cf4efad0b9d74151b09be4acfb12d1aea2a9e316b97a2eb7f4ca8ac12b0e6d8c
381bb149e04bec8f62336cdf3c81741c2c7a471f6dacc2f7835eb174643abad7
284f083103d1c160d9e4721ecce515646ce451a1b7ddf9dd89817904e21a4a2d
1a39cff5d5b0b550cd9b30f08c0e32430c2e1b92aecc663d4151789e54d13f64
1b881d8c3ba53e9b250de6d1118a27738fd8e88fd475e3e01afabd4e627f83a2
e0abb4fa147097a4fb1758ed20b7d1a54f020d0de2d8144a2beaec404acb4d4c
2ec983b4653f6a5ee028e9ecfa37d8cf2404a10e9691bb8ed39023be643ef55e
797bbd3d5e08ab4919540911ab6149be0c6f38de3659378bf38fc5ac01ccee48
4cc156f578777710f3ce0c217664b9830ddfcab407f0c6de0cae10d5501d1ca1
4d908524b238846077a6fb1df34be93ae926e13c15bb8ac5c45a8980ef4862ce
581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892
8ac5083f52da0ff312259331f65b326782803aa837a7b371a6d43a021b0c24c3
7816a1291d7c035b81b68f8e5f65e10f952beb2bf1ce9d125bfe9d44a378ee9f
e1a60229372db9d65dbadfe6db923edf3987ac9f908878491bd12497613324d8
41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5
ab71530434f64e6aa105732c42dbb5a409ac0aae4258b3c3e7db1a7d5914cc30
3b88fdeb5144b0f3a710b42cefa937e57aed28001acb82562229472ce258a124
70fbebc77d5f37a0ffd373be6ee9f218a5ea30b86e395e7212b850f0f6934b6f
294003b3626890da222c7aeb34f7ac71cec614026c686fd88df269cc175a0e8c
a6ca0d0f6c47f310778e8d3a82f96ce6b6e70e1248a17f73fda6dff59653b761
9e90c1219aac375230e375f3d641f6b1edb2968acb41d542528ad744714c9b35
1d6628a6cd66f3dd7f3377ee1c30e8a92cedb1d40f5a121b84e5ab84a0e19909
841eb644979b3c640761762645c9cd26f9bb46e558eaeb7bf0c2a79e761878f4
1b304c8a2ae4546bd7958c7f22becaf6b682a5c88b7a01945a952de991b0ef0b
693cf45b243073eeb5479f4b29ff36c417b858b042363cf1a53d7623504a6d29
f9fd2f63fb1b73be1e960ab5a6572aa6968279e56a95bb846fa7ea4110ab867c
5680eb1ffa1fac4f1c5a78024331ff7dd8982138d89d2df4ec56996b44c9cc99
48be2502fad84657b383c41b2616f34a029f9a39d63aae1a1714faf7ba79e3da
SH256 hash:
89ee33532625851084a0248dfa450b43f32ab189fe5762bbd722d9adf00f5091
MD5 hash:
f540e31988b28b3b517332c6fededfb0
SHA1 hash:
53020e48d3eb704460166a2ccce056f0c83a7440
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/5824306d-0926-499a-867f-f3f368219d20/
SH256 hash:
d7de9d8abaaa935505041286bea3982384fd1f54e5eb5005a7992b06c89805f1
MD5 hash:
28ead138edd830e10e35eabf08074d75
SHA1 hash:
d6b9e5392674d8bab993e6b0201b6cfdb48ebb2b
Link:
https://www.unpac.me/results/5824306d-0926-499a-867f-f3f368219d20/
SH256 hash:
a6ca0d0f6c47f310778e8d3a82f96ce6b6e70e1248a17f73fda6dff59653b761
MD5 hash:
36414c38ff6a43f76841281d0092fa6b
SHA1 hash:
734fcf4466cb74f6355fedc7d91377f3a14bc384
Link:
https://www.unpac.me/results/5824306d-0926-499a-867f-f3f368219d20/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a6ca0d0f6c47f310778e8d3a82f96ce6b6e70e1248a17f73fda6dff59653b761

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::GetWindowsDirectoryA
kernel32.dll::GetSystemDirectoryA
kernel32.dll::GetTempPathA
WIN_USER_APIPerforms GUI Actionsuser32.dll::CreateWindowExA

Comments