MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1ab7ae36965a9b7bfe0f46123cabeee9260f0816b118cf102deb4480b63b86a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b1ab7ae36965a9b7bfe0f46123cabeee9260f0816b118cf102deb4480b63b86a
SHA3-384 hash: 2c17a29774d45ed526dd88f49289d17daf7c0e4825d80244cad26b09379f242aca142679669525f8e0c9440324ef9c8c
SHA1 hash: 5c8a5432e12df1ecdb33499e0c142a6ba37165f0
MD5 hash: 10092d3106ee645c3b2d9d18b6198298
humanhash: monkey-kitten-mars-nevada
File name:10092d3106ee645c3b2d9d18b6198298.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:3'559'270 bytes
First seen:2024-07-06 10:30:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (390 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 49152:IBJTrDS1bJ+05CiD5LIYUcfjEGJT8TpIfYttDqrWEn5PjfHyejpdQ8y7uBxbPEKF:y9rGrXZTjupIf2ODxzSeFP64EKIjFZE/
Threatray 324 similar samples on MalwareBazaar
TLSH T15CF533507CC98872E1B70836A2B09F21A57E7E301F7E8EDF67C56D5EE5311C08A60762
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://911628cm.nyashka.top/imagevideopipehttpLowgameBigloadmultidleLocal.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://911628cm.nyashka.top/imagevideopipehttpLowgameBigloadmultidleLocal.php https://threatfox.abuse.ch/ioc/1295156/

Intelligence

File Origin
# of uploads :
1
# of downloads :
550
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
b1ab7ae36965a9b7bfe0f46123cabeee9260f0816b118cf102deb4480b63b86a.exe
Verdict:
Malicious activity
Analysis date:
2024-07-06 10:32:02 UTC
Tags:
dcrat rat remote darkcrystal netreactor susp-powershell
Link:
https://app.any.run/tasks/df6f0a82-ba16-494a-bf3b-1c791546d4cb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66891e6714220722c9769ad5win10vpnfull_triage
Tags:
Encryption Execution Network Static Stealth Trojan Uztuby
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Creating a file
Loading a suspicious library
Creating a file in the Program Files subdirectories
Creating a file in the %temp% directory
Using the Windows Management Instrumentation requests
Launching a process
Sending a UDP request
Connection attempt to an infection source
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Enabling autorun by creating a file
Enabling autorun
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm epmicrosoft_visual_cc fingerprint installer lolbin microsoft_visual_cc overlay packed packed setupapi sfx shdocvw shell32
Link:
https://www.filescan.io/uploads/66891ce849a1c8306269f587/reports/d49f3027-6ae9-42a0-ab2b-0cadfd6ca139/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/b1ab7ae36965a9b7bfe0f46123cabeee9260f0816b118cf102deb4480b63b86a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/156dc095-0aea-4fd1-a580-84b8b991cfb0
Result
Threat name:
DCRat, PureLog Stealer, zgRAT
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1468516
Signature
AI detected suspicious sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Detected unpacking (creates a PE file in dynamic memory)
Drops executable to a common third party application directory
Drops PE files to the user root directory
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Schedule system process
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: System File Execution Location Anomaly
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1468516 Sample: Kxjf9xfVcb.exe Startdate: 06/07/2024 Architecture: WINDOWS Score: 100 79 911628cm.nyashka.top 2->79 81 18.31.95.13.in-addr.arpa 2->81 91 Snort IDS alert for network traffic 2->91 93 Multi AV Scanner detection for domain / URL 2->93 95 Antivirus detection for URL or domain 2->95 97 16 other signatures 2->97 11 Kxjf9xfVcb.exe 3 10 2->11         started        14 aTIsRFUjeKeACHLpgoGmdoFsNYVMS.exe 2->14         started        18 aTIsRFUjeKeACHLpgoGmdoFsNYVMS.exe 2->18         started        20 7 other processes 2->20 signatures3 process4 dnsIp5 59 C:\Users\user\AppData\...\HyperServerFont.exe, PE32 11->59 dropped 61 zAABOcyJ2bBgkpH6Xh...CX3caSCc9GQdkeF.vbe, data 11->61 dropped 22 wscript.exe 1 11->22         started        83 911628cm.nyashka.top 188.114.96.3, 49736, 49737, 49740 CLOUDFLARENETUS European Union 14->83 63 C:\Users\user\Desktop\zqyErInH.log, PE32 14->63 dropped 65 C:\Users\user\Desktop\woMWWZiM.log, PE32 14->65 dropped 67 C:\Users\user\Desktop\pZmGWBbc.log, PE32 14->67 dropped 69 19 other malicious files 14->69 dropped 109 Tries to harvest and steal browser information (history, passwords, etc) 14->109 111 Multi AV Scanner detection for dropped file 18->111 113 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->113 115 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 18->115 117 Antivirus detection for dropped file 20->117 119 Machine Learning detection for dropped file 20->119 file6 signatures7 process8 signatures9 99 Windows Scripting host queries suspicious COM object (likely to drop second stage) 22->99 25 cmd.exe 1 22->25         started        process10 process11 27 HyperServerFont.exe 7 46 25->27         started        31 conhost.exe 25->31         started        file12 71 C:\...\aTIsRFUjeKeACHLpgoGmdoFsNYVMS.exe, PE32 27->71 dropped 73 C:\Users\user\Desktop\zsDFvWZm.log, PE32 27->73 dropped 75 C:\Users\user\Desktop\xEzwJIdo.log, PE32 27->75 dropped 77 26 other malicious files 27->77 dropped 101 Antivirus detection for dropped file 27->101 103 Multi AV Scanner detection for dropped file 27->103 105 Detected unpacking (creates a PE file in dynamic memory) 27->105 107 8 other signatures 27->107 33 cmd.exe 27->33         started        36 csc.exe 4 27->36         started        39 schtasks.exe 27->39         started        41 17 other processes 27->41 signatures13 process14 file15 85 Uses ping.exe to sleep 33->85 87 Uses ping.exe to check the status of other devices and networks 33->87 43 conhost.exe 33->43         started        45 chcp.com 33->45         started        47 PING.EXE 33->47         started        49 conhost.exe 33->49         started        57 C:\Windows\...\SecurityHealthSystray.exe, PE32 36->57 dropped 89 Infects executable files (exe, dll, sys, html) 36->89 51 conhost.exe 36->51         started        53 cvtres.exe 1 36->53         started        55 conhost.exe 39->55         started        signatures16 process17
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b1ab7ae36965a9b7bfe0f46123cabeee9260f0816b118cf102deb4480b63b86a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b1ab7ae36965a9b7bfe0f46123cabeee9260f0816b118cf102deb4480b63b86a/
Threat name:
Win32.Trojan.DCRat
Create hunting rule
Status:
Malicious
First seen:
2024-07-03 18:41:09 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wgvxvy3jmwu3pp7a6rqshsv652jgb4ebnmiyz4ic322eqc3dxbva._file
Verdict:
malicious
Similar samples:
0266dc2bf6eb73b5ef4770bedecadbffb0c35cd3b17c9a97e39712d92f17d199
DCRat
12417a99e17bd57fd22a4b7af2e46899c07d833f6d5aab931c8bc669f0ed06ba
DCRat
3b9330b09929cc5391a31e5780a967d26f21b010b586b2226e3d22038226f800
DCRat
68dc241dd0d6ece27136f4ddd4577e7a323970994248ab2447ba1e03fe5ff5ab
DCRat
72d37461bae5b05ce82a70a2d170b4c1e0cd134284d8efbfcf09ec69dee50d11
DCRat
9d2f1bff5b4efda5ad6bc899b6520053a2568ce6b88e3dafedbf5ab8c3dfaa85
DCRat
e0aa620a8b2b7688482b39a6fafabe217fa4d774ce7441721e42b6bfdc88c450
DCRat
e4a811441488a49a640f234d4e514d6746ad7ea39c4f1fe750182a358acc4d0d
DCRat
fd013757b73bc051725a6cd214b5b5a4373ce97105404a7608226bb7e700fab5
DCRat
+ 314 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence spyware stealer
Link:
https://tria.ge/reports/240706-mkc55syekf/
Behaviour
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Modifies WinLogon for persistence
Process spawned unexpected child process
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/913edaa3-d205-492f-bf23-8b1f72984a39
Unpacked files
SH256 hash:
4abfb6c4719bf650b60ce4e9088ab59a24a33f06627a8a5cbddd4ed5ab59c14d
MD5 hash:
e6096483a8f2600535d5c540898501ee
SHA1 hash:
988f6c02d6d8fc54ef7c74e2982b606229f084c9
Detections:
INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Link:
https://www.unpac.me/results/dcb6479c-138c-4a71-9ef5-ca83b276efbb/
SH256 hash:
b1ab7ae36965a9b7bfe0f46123cabeee9260f0816b118cf102deb4480b63b86a
MD5 hash:
10092d3106ee645c3b2d9d18b6198298
SHA1 hash:
5c8a5432e12df1ecdb33499e0c142a6ba37165f0
Link:
https://www.unpac.me/results/dcb6479c-138c-4a71-9ef5-ca83b276efbb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b1ab7ae36965a9b7bfe0f46123cabeee9260f0816b118cf102deb4480b63b86a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments