MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c849031f8576f268c802695c5c6d87a8ba88c4a7abbdd66a6f0582d06eaca41e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 15


Intelligence 15 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c849031f8576f268c802695c5c6d87a8ba88c4a7abbdd66a6f0582d06eaca41e
SHA3-384 hash: a6bcfab1ad26b8ac0da89181c5960cf38ab28693e55df62e759e3a95fd4d227ab2b8ff7f1591772aec557722ef038fb2
SHA1 hash: 08cec1bf0999c2d72a35cabee19ba74d08e483fe
MD5 hash: 15fe08f3e2834cc840ccb90234656f2b
humanhash: white-triple-xray-equal
File name:15fe08f3e2834cc840ccb90234656f2b.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:2'198'016 bytes
First seen:2024-05-09 01:10:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d59a4a699610169663a929d37c90be43 (75 x DCRat, 22 x njrat, 15 x SalatStealer)
ssdeep 49152:tbA3j4XFe78ERXQEfGe1fMRVXDpQnSbN7ta:tbxX4783Eu4URVDtO
TLSH T187A5BE017F44CA11F0191233C2FF49044BB4AC51AAA6E72B7EBA376D65223973C5DADB
TrID 56.4% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
12.2% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
9.1% (.EXE) InstallShield setup (43053/19/16)
5.7% (.EXE) UPX compressed Win32 Executable (27066/9/6)
5.6% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://a0951137.xsph.ru/967d93f7.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
352
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
c849031f8576f268c802695c5c6d87a8ba88c4a7abbdd66a6f0582d06eaca41e.exe
Verdict:
Malicious activity
Analysis date:
2024-05-09 01:11:26 UTC
Tags:
rat backdoor dcrat remote stealer
Link:
https://app.any.run/tasks/a662149c-b717-49fb-acf5-20233c9c2352

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.VBS.Encrypted.Gen.UNOFFICIAL
Create hunting rule

Win.Trojan.Uztuby-9855059-0
Create hunting rule

Win.Ransomware.Clinix-9868408-0
Create hunting rule

Win.Packed.Msilmamut-9950860-0
Create hunting rule

Win.Packed.Uztuby-9963900-0
Create hunting rule

Win.Packed.Uztuby-9969968-0
Create hunting rule

Win.Malware.Uztuby-9972880-0
Create hunting rule

Win.Tool.Disabledefender-9973916-0
Create hunting rule

Win.Trojan.DarkKomet-9976180-0
Create hunting rule

Win.Trojan.Uztuby-10010740-0
Create hunting rule

Win.Trojan.Injector-6297685-1
Create hunting rule

Win.Trojan.Agent-345883
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Searching for synchronization primitives
Launching a service
Creating a file in the Windows subdirectories
Launching a process
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Creating a file
Creating a file in the Program Files subdirectories
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm cmd cscript dcrat defender explorer fingerprint lolbin packed packed packed prometheus risepro schtasks setupapi shdocvw shell32
Link:
https://www.filescan.io/uploads/663c22a91c9796b80ab6d348/reports/0d4d054a-67a4-412f-80ee-aa2b583fd14c/overview
Verdict:
Malicious
Labled as:
TrojanDropper.Delf
Link:
https://www.hybrid-analysis.com/sample/c849031f8576f268c802695c5c6d87a8ba88c4a7abbdd66a6f0582d06eaca41e
Malware family:
KeyBase
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/91e3051f-cac8-4631-8d3c-0af9b7074b35
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1438702
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the user root directory
Drops PE files with benign system names
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected DCRat
Yara detected Defender Control Hacktool
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1438702 Sample: WVswy22Yv1.exe Startdate: 09/05/2024 Architecture: WINDOWS Score: 100 67 a0951137.xsph.ru 2->67 71 Snort IDS alert for network traffic 2->71 73 Found malware configuration 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 15 other signatures 2->77 11 WVswy22Yv1.exe 3 2->11         started        15 MUjLTjnaphbzWETsIXOZNzrvYUS.exe 2->15         started        17 MUjLTjnaphbzWETsIXOZNzrvYUS.exe 2->17         started        signatures3 process4 file5 63 C:\Users\user\AppData\Local\Temp\file.exe, PE32 11->63 dropped 65 C:\Users\user\AppData\Local\...\dControl.exe, PE32 11->65 dropped 103 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->103 105 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 11->105 19 file.exe 3 7 11->19         started        23 dControl.exe 4 11->23         started        107 Multi AV Scanner detection for dropped file 15->107 signatures6 process7 file8 51 C:\Windows\SysWOW64\Mbr.exe, PE32 19->51 dropped 53 C:\Windows\SysWOW64\4RFpGVbRBEIkuj1Kqd.vbe, data 19->53 dropped 79 Antivirus detection for dropped file 19->79 81 Multi AV Scanner detection for dropped file 19->81 83 Machine Learning detection for dropped file 19->83 25 wscript.exe 1 19->25         started        28 dControl.exe 4 23->28         started        signatures9 process10 signatures11 93 Windows Scripting host queries suspicious COM object (likely to drop second stage) 25->93 30 cmd.exe 1 25->30         started        33 dControl.exe 5 28->33         started        process12 signatures13 109 Drops executables to the windows directory (C:\Windows) and starts them 30->109 35 Mbr.exe 1 16 30->35         started        39 conhost.exe 30->39         started        process14 file15 55 C:\Windows\System\csrss.exe, PE32 35->55 dropped 57 C:\...\MUjLTjnaphbzWETsIXOZNzrvYUS.exe, PE32 35->57 dropped 59 C:\...\MUjLTjnaphbzWETsIXOZNzrvYUS.exe, PE32 35->59 dropped 61 3 other malicious files 35->61 dropped 85 Antivirus detection for dropped file 35->85 87 Multi AV Scanner detection for dropped file 35->87 89 Machine Learning detection for dropped file 35->89 91 5 other signatures 35->91 41 MUjLTjnaphbzWETsIXOZNzrvYUS.exe 35->41         started        45 schtasks.exe 35->45         started        47 schtasks.exe 35->47         started        49 19 other processes 35->49 signatures16 process17 dnsIp18 69 a0951137.xsph.ru 141.8.192.169, 49730, 49731, 49732 SPRINTHOSTRU Russian Federation 41->69 95 Multi AV Scanner detection for dropped file 41->95 97 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 41->97 99 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 41->99 101 Tries to harvest and steal browser information (history, passwords, etc) 41->101 signatures19
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c849031f8576f268c802695c5c6d87a8ba88c4a7abbdd66a6f0582d06eaca41e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c849031f8576f268c802695c5c6d87a8ba88c4a7abbdd66a6f0582d06eaca41e/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-05-03 23:33:19 UTC
File Type:
PE (Exe)
Extracted files:
75
AV detection:
36 of 38 (94.74%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zbeqgh4fo3zgrsacnfofy3mhvc5irrfhvo65m2tpawbna3vmuqpa._file
Verdict:
malicious
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer rat spyware stealer upx
Link:
https://tria.ge/reports/240509-bjx85sce58/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
AutoIT Executable
Drops file in System32 directory
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
DCRat payload
DcRat
Process spawned unexpected child process
Unpacked files
SH256 hash:
a4efc4f1226a66426dc28084248614190bc64444ac2624d1d5cb55ea09457443
MD5 hash:
25203676ab8bf062368b7179709b3db9
SHA1 hash:
c17b47650d3872da653cc926b577b9e57dd5a918
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/7e2a304f-b5d5-4c7b-b175-19232875ebaa/
SH256 hash:
dfa20714b2f1dc7ac80f14e3f8a963310a5696e6450beb5ff3ad8f125a9c6590
MD5 hash:
8d9506eae43f59fcb680aab8ad001420
SHA1 hash:
5753ab6f572e96e64fd2cd5aa2d7800dc18e95ed
Detections:
win_xorist_auto
Create hunting rule
Link:
https://www.unpac.me/results/7e2a304f-b5d5-4c7b-b175-19232875ebaa/
Parent samples :
6ade40b71ee50ca95629aaa593bc8f48335ff0eee6c47c3a1dcaacbd9f1eaf42
1dd3edb673a05c19521b785935f8e803ec5f3104883db80f1a671182e23c4274
c849031f8576f268c802695c5c6d87a8ba88c4a7abbdd66a6f0582d06eaca41e
371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0
098a170344a4ca7efe3e0c8b48c25a64fe0570b68eb0f3032c229e81597c1fbc
ba61b838a6b159d1d8f6fbbd1c80016fe7277225d1847de9ae50d0d83b29f9f1
b27cdbd5705c56034999011911997559d5eecb66e2e0d8b8c9aa843fe05d1627
e9f868d54dc0cda5bd4e13ad4fb6c7861b339024cd28daf0dc8eb9ee69a405fe
f14e979398839caddd543261a8e9773bcd5a95d9f433e113ecdc8605cd3b2393
647194fc5716bcdebe9b20e13b3f08e7816d13530a15e8d1669f2f25ba628274
ee9e68394df17b14d2190d46257445f427bc43d4e02be9f26bf6236b17fe0052
2f0ff1a3573cb45775b709b1e8df418ff7adcc5b678a52a768d02933b6174ca6
c7f4e1aba81ad7714da4487dd279cc886b50428116b614c9ebe246d937c478f0
dd71110a6b7fb79b2949280611957646f76503f1bda866b06e74b9a74e54dc89
SH256 hash:
2bfabc20b89c042309661f5f0204d39aab5e08bda3157fe0966367abfac3d224
MD5 hash:
36377fe77a04fc485e2a89408c0a755c
SHA1 hash:
7e233e67a96145d9e02d1b0813e96beaa074d19b
Link:
https://www.unpac.me/results/7e2a304f-b5d5-4c7b-b175-19232875ebaa/
SH256 hash:
c849031f8576f268c802695c5c6d87a8ba88c4a7abbdd66a6f0582d06eaca41e
MD5 hash:
15fe08f3e2834cc840ccb90234656f2b
SHA1 hash:
08cec1bf0999c2d72a35cabee19ba74d08e483fe
Detections:
DefenderControl
Create hunting rule
INDICATOR_TOOL_PET_DefenderControl
Create hunting rule
DefenderControl
Create hunting rule
Link:
https://www.unpac.me/results/7e2a304f-b5d5-4c7b-b175-19232875ebaa/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c849031f8576f268c802695c5c6d87a8ba88c4a7abbdd66a6f0582d06eaca41e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIt
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:AutoIT packer
Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DefenderControl
Create hunting rule
Author:@bartblaze
Description:Identifies Defender Control, used by attackers to disable Windows Defender.
Reference:https://www.sordum.org/9480/defender-control-v1-8/
Rule name:DotNet_Reactor
Create hunting rule
Author:@bartblaze
Description:Identifies .NET Reactor, which offers .NET code protection such as obfuscation, encryption and so on.
Rule name:INDICATOR_TOOL_PET_DefenderControl
Create hunting rule
Author:ditekSHen
Description:Detects Defender Control
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PureCrypter
Create hunting rule
Author:@bartblaze
Description:Identifies PureCrypter, .NET loader and obfuscator.
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXv20MarkusLaszloReiser
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::GetWindowsDirectoryA
kernel32.dll::GetSystemDirectoryA
kernel32.dll::GetTempPathA

Comments