MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf1a2173cdf3a47abd060cbd86fc8c3cda7d01443694d7253bbd547f7feb21f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf1a2173cdf3a47abd060cbd86fc8c3cda7d01443694d7253bbd547f7feb21f4
SHA3-384 hash: ce37cc56d9d8e14c5584826e63666a9584157ef219c845abc24b57a5cc31774b750ea9e713bff377b6458d156a61562c
SHA1 hash: c8d29e22c4e501919a69581466e504dc5b8059ed
MD5 hash: 7eec2626da27debbdef59bcb7427f8a4
humanhash: blossom-saturn-potato-vermont
File name:r.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'237'485 bytes
First seen:2023-09-14 12:06:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (389 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 24576:2TbBv5rUyXV97n8uVaSXCSp0ZrNAIdiaiH7oAaY/ohijfeSlRLnuBwD:IBJ9j/VaSySuPZdiZHkPYJfnuBwD
Threatray 314 similar samples on MalwareBazaar
TLSH T11F4512027AC190B2D4621C365A7AAB21B83DBD601FB5CEDFA3D03A5DDA215C0DB35763
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter JAMESWT_WT
Tags:89-23-98-75 DCRat exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
309
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
r.exe
Verdict:
Malicious activity
Analysis date:
2023-09-14 10:25:13 UTC
Tags:
dcrat
Link:
https://app.any.run/tasks/c5bb6f30-4e53-42e6-96f5-e7262e997c2d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/448623/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm cmd greyware lolbin lolbin overlay packed packed replace setupapi shdocvw shell32 wscript
Link:
https://www.filescan.io/uploads/6502f76969c1cf3b6ab5bff2/reports/b3e26051-b236-4fec-8529-096e976e265d/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/bf1a2173cdf3a47abd060cbd86fc8c3cda7d01443694d7253bbd547f7feb21f4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/942fe8c8-af5c-4aa6-9ad3-971c2be79baa
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1307794
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1307794 Sample: r.exe Startdate: 14/09/2023 Architecture: WINDOWS Score: 100 57 505406lm.nyashkoon.top 2->57 61 Antivirus detection for URL or domain 2->61 63 Antivirus detection for dropped file 2->63 65 Multi AV Scanner detection for dropped file 2->65 67 4 other signatures 2->67 11 r.exe 3 7 2->11         started        signatures3 process4 file5 47 C:\a\ProviderComponentDll.exe, PE32 11->47 dropped 14 wscript.exe 1 11->14         started        process6 signatures7 75 Windows Scripting host queries suspicious COM object (likely to drop second stage) 14->75 17 cmd.exe 1 14->17         started        process8 process9 19 ProviderComponentDll.exe 3 25 17->19         started        23 conhost.exe 17->23         started        file10 39 C:\a\BktIlouBZtxFRrQbJrkhGv.exe, PE32 19->39 dropped 41 C:\Users\user\Desktop\yANBAYrZ.log, PE32 19->41 dropped 43 C:\Users\user\Desktop\xMJtOLvb.log, PE32 19->43 dropped 45 14 other malicious files 19->45 dropped 69 Multi AV Scanner detection for dropped file 19->69 25 cmd.exe 1 19->25         started        signatures11 process12 signatures13 71 Uses ping.exe to sleep 25->71 73 Uses ping.exe to check the status of other devices and networks 25->73 28 BktIlouBZtxFRrQbJrkhGv.exe 14 18 25->28         started        33 conhost.exe 25->33         started        35 PING.EXE 1 25->35         started        37 chcp.com 1 25->37         started        process14 dnsIp15 59 505406lm.nyashkoon.top 91.103.252.23, 49704, 49705, 49706 HOSTGLOBALPLUS-ASRU Russian Federation 28->59 49 C:\Users\user\Desktop\zWObQTho.log, PE32 28->49 dropped 51 C:\Users\user\Desktop\xTbsvkct.log, PE32 28->51 dropped 53 C:\Users\user\Desktop\oHaVZMHO.log, PE32 28->53 dropped 55 13 other malicious files 28->55 dropped 77 Multi AV Scanner detection for dropped file 28->77 79 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 28->79 81 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 28->81 file16 signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bf1a2173cdf3a47abd060cbd86fc8c3cda7d01443694d7253bbd547f7feb21f4/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-09-06 15:48:46 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
23 of 36 (63.89%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x4ncc46n6oshvpigbs6yn7emhtnh2akeg2knojj3xvkh677leh2a._file
Verdict:
malicious
Similar samples:
01a9053ceb7d249f6db1ab2c30b5506b4b46cf206279d19d5a77b10b0711aaa7
DCRat
4ae98d07149ba3a2d9e00594f4da6e65c0386a6e95c0fb168a05607cbb0d2a65
DCRat
5ee5e591bb2ef8a32f74e08936129f473c1d66a9c61ca454ad86fd6c9a3451d0
DCRat
6c398c08d438498b4508e1c646f5249961d5646dd350e48398ee26be2643f576
DCRat
82e31b9bef8bdc34385c82db1239f570fccdb0b96a8f1ae0dcd4fa7abcc9ca25
DCRat
bfbf48fb4dd150dbc6c34b309dc308326a5b9ab40defafbe32060236243fe8ba
DCRat
+ 304 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230914-paay5see27/
Behaviour
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
3b311986251ee5a303671108afbaf43e0255c4cae1c26cc9600bb0c7d22d3864
MD5 hash:
9e910782ca3e88b3f87826609a21a54e
SHA1 hash:
8dbc333244620eda5d3f1c9eaa6b924455262303
Link:
https://www.unpac.me/results/5b69b491-c18a-4ffc-b851-dd420360d570/
SH256 hash:
7a080d8bd178ec02c7f39f7f941479074c450c4fdd8e963c993d2fb5537c7708
MD5 hash:
16b480082780cc1d8c23fb05468f64e7
SHA1 hash:
6fddf86f9f0fbaa189f5cb79e44999a3f1ac2b26
Link:
https://www.unpac.me/results/5b69b491-c18a-4ffc-b851-dd420360d570/
SH256 hash:
bf1a2173cdf3a47abd060cbd86fc8c3cda7d01443694d7253bbd547f7feb21f4
MD5 hash:
7eec2626da27debbdef59bcb7427f8a4
SHA1 hash:
c8d29e22c4e501919a69581466e504dc5b8059ed
Link:
https://www.unpac.me/results/5b69b491-c18a-4ffc-b851-dd420360d570/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bf1a2173cdf3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bf1a2173cdf3a47abd060cbd86fc8c3cda7d01443694d7253bbd547f7feb21f4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe bf1a2173cdf3a47abd060cbd86fc8c3cda7d01443694d7253bbd547f7feb21f4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2711684/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/448623/

Comments