MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac1976494d19c9e673c6ae69a2e88b5901ad494d57d5d942cef0121232772132. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 6


Intelligence 6 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac1976494d19c9e673c6ae69a2e88b5901ad494d57d5d942cef0121232772132
SHA3-384 hash: 3aacfe948c71c2f26e248fec1890ca20ef3db1d0c3e74f4bb487daebac723676f7ee8e188f5f1fcc30b7fc6c3b845392
SHA1 hash: ff202bb47d15c1ba2253d469348e712e76ff99f4
MD5 hash: a262ec26b6939359e6c449585961406d
humanhash: washington-vegan-pluto-item
File name:a262ec26b6939359e6c449585961406d.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:3'726'384 bytes
First seen:2021-07-15 03:15:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:7/vjfKQc98eXaDPRLFtZa695ReTKuqLqV4JuP9sH52HLXyl8k1o92ajsFTahv3n0:7/v7Qp4orhv3MNL
Threatray 7 similar samples on MalwareBazaar
TLSH T12306AF5177ECA9E1C1BDC33C81938E89E7B0B004AF2267D701A5525D2E27BEA5C3E653
Reporter abuse_ch
Tags:DCRat exe signed

Code Signing Certificate

Organisation:Microsoft Corporation
Issuer:Microsoft Code Signing PCA
Algorithm:sha1WithRSAEncryption
Valid from:2018-07-12T20:11:19Z
Valid to:2019-07-26T20:11:19Z
Serial number: 33000001b1ddedba54e965b85f0001000001b1
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 37a8a01d0cf930dca58e725400ad06dd550970b92f49b0c3a15b321b4e4097da
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
DCRat C2:
http://37.46.133.226/Cpusupportdata/scriptscriptServer/scriptCpuPrefphp/Linepythonapimultitrack.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://37.46.133.226/Cpusupportdata/scriptscriptServer/scriptCpuPrefphp/Linepythonapimultitrack.php https://threatfox.abuse.ch/ioc/160412/

Intelligence

File Origin
# of uploads :
1
# of downloads :
149
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
EE26949C4C945A20569ABDDBAA487709.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-14 13:42:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c92313f3-b72a-424b-bdb8-e40809fa6459

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/171848/
Detection(s):
SecuriteInfo.com.Variant.Adware.BrowseFox.62.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4cdcd9be-05da-4937-9b3c-9ec1c8460a7e
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/816639
Signature
.NET source code references suspicious native API functions
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Schedule system process
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 449050 Sample: 8eg3NdPWX0.exe Startdate: 15/07/2021 Architecture: WINDOWS Score: 100 45 Found malware configuration 2->45 47 Multi AV Scanner detection for dropped file 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 6 other signatures 2->51 7 8eg3NdPWX0.exe 1 20 2->7         started        11 Idle.exe 3 2->11         started        13 8eg3NdPWX0.exe 2 2->13         started        15 2 other processes 2->15 process3 file4 37 C:\...\eDdnCxYwcTNZdCDjfDqaKUlmwvUCv.exe, PE32 7->37 dropped 39 C:\Users\user\Desktop\...\8eg3NdPWX0.exe, PE32 7->39 dropped 41 C:\...\eDdnCxYwcTNZdCDjfDqaKUlmwvUCv.exe, PE32 7->41 dropped 43 8 other malicious files 7->43 dropped 53 Detected unpacking (overwrites its own PE header) 7->53 55 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->55 57 Uses schtasks.exe or at.exe to add and modify task schedules 7->57 63 2 other signatures 7->63 17 8eg3NdPWX0.exe 2 7->17         started        19 schtasks.exe 1 7->19         started        21 schtasks.exe 1 7->21         started        23 3 other processes 7->23 59 Multi AV Scanner detection for dropped file 11->59 61 Machine Learning detection for dropped file 11->61 signatures5 process6 process7 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        33 conhost.exe 23->33         started        35 conhost.exe 23->35         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ac1976494d19c9e673c6ae69a2e88b5901ad494d57d5d942cef0121232772132/
Threat name:
ByteCode-MSIL.Trojan.Spy
Create hunting rule
Status:
Malicious
First seen:
2021-07-13 02:16:01 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vqmxmskndhe6m46gvzu2f2ellea22sknk7k5sqwo6ajbemtxeeza._file
Verdict:
unknown
Similar samples:
27b1723e770a97166455a9b7edd4c7e3ee89ac046ef8dad51f7a48ac7c71c006
DCRat
54d7969a09d2ad3dcf82a96a0fce4e3fc5bbb6ee26d01a0b8517f364b5431217
DCRat
5b32b25c28c5b99c080f8b452c2b5b5e95d2d23432ea8191069f46f7b4835d44
DCRat
a9d6aa7ef3fde33eb2df6b9c3ec92965f066049cacba533ffc09a877133b809e
DCRat
c07d9b494ee6dad4baa8ad39b37af05488278e8823b81feab25f359ccdc390bd
DCRat
cf84be2a0d26ffd76a445e6a288e1dc9d61ff01bd00e9c4dac583e86215c207f
DCRat
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/210715-r46dl8tq6j/
Behaviour
Creates scheduled task(s)
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
b2964bb5cad83d68da082a1d80fa381b57dae2bfe90579aa402342461643e1e6
MD5 hash:
9fb56a40d0ac9b016b9b0f14f5caf9ea
SHA1 hash:
7eea4052bd3ca1edd0be2ce9329f9094ed3856f9
Link:
https://www.unpac.me/results/e8d7005e-768f-48ea-a2b9-bedfc615d26f/
SH256 hash:
ac1976494d19c9e673c6ae69a2e88b5901ad494d57d5d942cef0121232772132
MD5 hash:
a262ec26b6939359e6c449585961406d
SHA1 hash:
ff202bb47d15c1ba2253d469348e712e76ff99f4
Link:
https://www.unpac.me/results/e8d7005e-768f-48ea-a2b9-bedfc615d26f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.06
Link:
https://yomi.yoroi.company/submissions/ac1976494d19c9e673c6ae69a2e88b5901ad494d57d5d942cef0121232772132

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/171848/

Comments