MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9d6aa7ef3fde33eb2df6b9c3ec92965f066049cacba533ffc09a877133b809e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 8


Intelligence 8 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a9d6aa7ef3fde33eb2df6b9c3ec92965f066049cacba533ffc09a877133b809e
SHA3-384 hash: f72a1ce8bc87bd16d106a7af89cb36dfe09ff158d1efb846bd04650fa6e5b2d0a114111b4939f5d2c264c4ece77e301b
SHA1 hash: f8cc243ccf026fcf2cfb58361f1eaca93338e0ee
MD5 hash: ee26949c4c945a20569abddbaa487709
humanhash: leopard-carolina-lactose-burger
File name:EE26949C4C945A20569ABDDBAA487709.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'779'634 bytes
First seen:2021-07-14 13:40:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a1a66d588dcf1394354ebf6ec400c223 (49 x RedLineStealer, 7 x CryptBot, 4 x AZORult)
ssdeep 49152:q5+hFutsk4BKFY1nxQIah2V+IROY4aal//+9h8DpoJW:q5aFZktVIRb4aal/G9iJ
Threatray 148 similar samples on MalwareBazaar
TLSH T132852383EBC7B8B6D983263004A9B30A9CF7DF25171146CBAB1C1415DD362DDEA3E191
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://37.46.133.226/Cpusupportdata/scriptscriptServer/scriptCpuPrefphp/Linepythonapimultitrack.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://37.46.133.226/Cpusupportdata/scriptscriptServer/scriptCpuPrefphp/Linepythonapimultitrack.php https://threatfox.abuse.ch/ioc/160412/

Intelligence

File Origin
# of uploads :
1
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
EE26949C4C945A20569ABDDBAA487709.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-14 13:42:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c92313f3-b72a-424b-bdb8-e40809fa6459

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Dcrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171669/
Detection(s):
Win.Trojan.Generic-9874371-0
Create hunting rule

PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

SecuriteInfo.com.Artemis8A5D1E11C3D3.26302.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a3a1c5a4-43c5-4d29-973c-f9d389ebbd64
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/816238
Signature
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Schedule system process
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 448649 Sample: vIXpjKnZoM.exe Startdate: 14/07/2021 Architecture: WINDOWS Score: 100 63 Found malware configuration 2->63 65 Antivirus / Scanner detection for submitted sample 2->65 67 Multi AV Scanner detection for dropped file 2->67 69 7 other signatures 2->69 8 vIXpjKnZoM.exe 7 2->8         started        12 vIXpjKnZoM.exe 3 2->12         started        14 aGCaPZYjOlCPTQvrpRkjjLAfB.exe 3 2->14         started        16 msiexec.exe 2->16         started        process3 file4 57 C:\Users\user\AppData\Local\...\Crypted.exe, PE32 8->57 dropped 79 Contains functionality to register a low level keyboard hook 8->79 18 Crypted.exe 1 27 8->18         started        23 cmd.exe 1 8->23         started        59 C:\Users\user\AppData\...\vIXpjKnZoM.exe.log, ASCII 12->59 dropped 81 Detected unpacking (overwrites its own PE header) 12->81 83 Machine Learning detection for dropped file 12->83 85 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 12->85 signatures5 process6 dnsIp7 61 192.168.2.1 unknown unknown 18->61 49 C:\Windows\System32\wclPowrProf\msiexec.exe, PE32 18->49 dropped 51 C:\Windows\System32\...\RuntimeBroker.exe, PE32 18->51 dropped 53 C:\Windows\System32\tbauth\dwm.exe, PE32 18->53 dropped 55 7 other malicious files 18->55 dropped 71 Detected unpacking (overwrites its own PE header) 18->71 73 Machine Learning detection for dropped file 18->73 75 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 18->75 77 4 other signatures 18->77 25 schtasks.exe 1 18->25         started        27 schtasks.exe 1 18->27         started        29 schtasks.exe 1 18->29         started        33 8 other processes 18->33 31 conhost.exe 23->31         started        file8 signatures9 process10 process11 35 conhost.exe 25->35         started        37 conhost.exe 27->37         started        39 conhost.exe 29->39         started        41 conhost.exe 33->41         started        43 conhost.exe 33->43         started        45 conhost.exe 33->45         started        47 4 other processes 33->47
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a9d6aa7ef3fde33eb2df6b9c3ec92965f066049cacba533ffc09a877133b809e/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-07-12 09:26:00 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vhlku7xt7xrt5mw7nood5sjjmxygmbe4vs5fgp74bguhoez3qcpa._file
Verdict:
unknown
Similar samples:
06607b04da0cd27e4a7abff3df7ee0be86df8226e81a5706351526a3101d2aa2
DCRat
27b1723e770a97166455a9b7edd4c7e3ee89ac046ef8dad51f7a48ac7c71c006
DCRat
4daba398d1d338f7eb29eef55e1afa4595dde813b27b33dcfb48ceff27e7e8b0
DCRat
8cec146d7a7b594cf7748b35c63ea1fed2c994ef2cdbb5731f1b15d9c9fa1ee3
DCRat
948fb39f8d7058b029ea1b36937c544ccaefab83d03fe6e7f609289c1f46dba8
DCRat
980e27f0cf3ceda9a21d8651765a6eeedb513b7a169e31a4108ca6ce209de34f
DCRat
a0ee463632a3799ed2b21d598d1fa8c4ed7198f3debd175a1eb89b2055b57ccd
DCRat
c07d9b494ee6dad4baa8ad39b37af05488278e8823b81feab25f359ccdc390bd
DCRat
f6e01e745aac03b46befca8daff61626ab55cbabbef93e31c2c3b01928f9c756
DCRat
+ 138 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/210714-2pq4d3wzla/
Behaviour
Creates scheduled task(s)
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in System32 directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
2218f238274ec273546d1cef278c87be9465f64d3fc20601ebc9136e252053b6
MD5 hash:
5aaff866085f202190beccf008c48269
SHA1 hash:
acde7f015933ff3d0e9d51275c6f3d523cd9b84a
Link:
https://www.unpac.me/results/27deec56-4ede-4533-9ebe-8c72f2f1d791/
SH256 hash:
394d5d7470ab1302ba07cce84ffba9e51f4eef4062a4cb65c9ef2c63dc9c1cc9
MD5 hash:
8f04f0d7a7f3975144cbb9c6ac68c219
SHA1 hash:
e58ab3e1f601d436bdac4c18833357b7312bb530
Link:
https://www.unpac.me/results/27deec56-4ede-4533-9ebe-8c72f2f1d791/
SH256 hash:
a9d6aa7ef3fde33eb2df6b9c3ec92965f066049cacba533ffc09a877133b809e
MD5 hash:
ee26949c4c945a20569abddbaa487709
SHA1 hash:
f8cc243ccf026fcf2cfb58361f1eaca93338e0ee
Link:
https://www.unpac.me/results/27deec56-4ede-4533-9ebe-8c72f2f1d791/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a9d6aa7ef3fde33eb2df6b9c3ec92965f066049cacba533ffc09a877133b809e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/171669/

Comments