MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d5756ce06fa61c126c91f1c499ccc48222ac221167fa51d82d8546e490f2688e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d5756ce06fa61c126c91f1c499ccc48222ac221167fa51d82d8546e490f2688e
SHA3-384 hash: ba63ecd67c018bade194f830e9fc2a4f190091a2da963ac128f5526b9d36181b39a2bd50555f09a73e39318fc352c71d
SHA1 hash: 42b79ad80b9bd7f3318d1086b9832106b2cadd49
MD5 hash: 93f80e6943dae23ec3b7335ba4acb355
humanhash: venus-tennessee-oven-missouri
File name:HEUR-Backdoor.MSIL.LightStone.gen-d5756ce06fa.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'105'920 bytes
First seen:2023-01-05 05:15:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'477 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:EDgJuO4hVj9l8cKzKG0uBXOhbcyXeE0+4:hxmV8HWjwexv
Threatray 3'194 similar samples on MalwareBazaar
TLSH T1B93506027E46DD03D0391637C9EF847807A8ED617B66EA1A7E9F339C64523A71D0E1CA
TrID 47.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
20.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.4% (.SCR) Windows screen saver (13097/50/3)
6.8% (.EXE) Win64 Executable (generic) (10523/12/4)
4.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://h158013.srv16.test-hf.su/Flowertrack.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
225
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
HEUR-Backdoor.MSIL.LightStone.gen-d5756ce06fa.exe
Verdict:
Malicious activity
Analysis date:
2023-01-05 05:18:29 UTC
Tags:
trojan rat backdoor dcrat
Link:
https://app.any.run/tasks/14444e1c-62a5-4e38-a05a-7dd082ae032c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/349536/
Detection(s):
Win.Malware.Uztuby-9848412-0
Create hunting rule

Win.Packed.Uztuby-9851623-0
Create hunting rule

Win.Packed.Uztuby-9875336-0
Create hunting rule

Win.Packed.Uztuby-9877681-0
Create hunting rule

Win.Malware.Uztuby-9878616-0
Create hunting rule

Win.Packed.Uztuby-9878626-0
Create hunting rule

Win.Packed.Uztuby-9878629-0
Create hunting rule

Win.Packed.Uztuby-9878755-0
Create hunting rule

Win.Malware.Uztuby-9878756-0
Create hunting rule

Win.Packed.Basic-9892827-0
Create hunting rule

Win.Packed.Basic-9952747-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Creating a file in the Windows subdirectories
Launching a process
Creating a file
Creating a file in the system32 subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
DNS request
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm cmd.exe dcrat explorer.exe hacktool obfuscated packed stealer
Link:
https://www.filescan.io/uploads/63b65d140e926711fd76fc72/reports/5758069f-299b-46e4-a6c6-78e03057eee7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1d539115-7e83-4575-882e-600e399fa1ee
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1145449
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 778181 Sample: HEUR-Backdoor.MSIL.LightSto... Startdate: 05/01/2023 Architecture: WINDOWS Score: 100 88 h158013.srv16.test-hf.su 2->88 90 www.test-hf.su 2->90 92 pxe1.host-food.ru 2->92 106 Snort IDS alert for network traffic 2->106 108 Multi AV Scanner detection for domain / URL 2->108 110 Malicious sample detected (through community Yara rule) 2->110 112 14 other signatures 2->112 10 HEUR-Backdoor.MSIL.LightStone.gen-d5756ce06fa.exe 10 17 2->10         started        14 JVcnvfQyRRQoghBIWNFPnNtenESI.exe 3 2->14         started        16 RuntimeBroker.exe 3 2->16         started        18 14 other processes 2->18 signatures3 process4 dnsIp5 72 C:\Windows\System32\wbem\...\WmiPrvSE.exe, PE32 10->72 dropped 74 C:\Windows\System32\...\RuntimeBroker.exe, PE32 10->74 dropped 76 C:\Users\...\JVcnvfQyRRQoghBIWNFPnNtenESI.exe, PE32 10->76 dropped 78 4 other malicious files 10->78 dropped 118 Creates an undocumented autostart registry key 10->118 120 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 10->120 122 Creates multiple autostart registry keys 10->122 130 4 other signatures 10->130 21 cmd.exe 1 10->21         started        24 schtasks.exe 1 10->24         started        26 schtasks.exe 1 10->26         started        28 2 other processes 10->28 124 Antivirus detection for dropped file 14->124 126 Multi AV Scanner detection for dropped file 14->126 128 Machine Learning detection for dropped file 14->128 94 h158013.srv16.test-hf.su 18->94 96 h158013.srv16.test-hf.su 18->96 98 4 other IPs or domains 18->98 file6 signatures7 process8 signatures9 114 Uses ping.exe to sleep 21->114 116 Uses ping.exe to check the status of other devices and networks 21->116 30 HEUR-Backdoor.MSIL.LightStone.gen-d5756ce06fa.exe 4 18 21->30         started        34 conhost.exe 21->34         started        36 PING.EXE 1 21->36         started        38 chcp.com 1 21->38         started        40 conhost.exe 24->40         started        42 conhost.exe 26->42         started        44 conhost.exe 28->44         started        process10 file11 80 C:\Windows\System32\...\winlogon.exe, PE32 30->80 dropped 82 C:\Users\Public\RuntimeBroker.exe, PE32 30->82 dropped 84 C:\...\JVcnvfQyRRQoghBIWNFPnNtenESI.exe, PE32 30->84 dropped 86 5 other malicious files 30->86 dropped 134 Creates multiple autostart registry keys 30->134 136 Hides that the sample has been downloaded from the Internet (zone.identifier) 30->136 46 cmd.exe 30->46         started        49 schtasks.exe 30->49         started        51 schtasks.exe 30->51         started        53 2 other processes 30->53 signatures12 process13 signatures14 132 Uses ping.exe to sleep 46->132 55 SgrmBroker.exe 46->55         started        58 conhost.exe 46->58         started        60 chcp.com 46->60         started        62 PING.EXE 46->62         started        64 conhost.exe 49->64         started        66 conhost.exe 51->66         started        68 conhost.exe 53->68         started        70 conhost.exe 53->70         started        process15 dnsIp16 100 h158013.srv16.test-hf.su 55->100 102 www.test-hf.su 55->102 104 pxe1.host-food.ru 55->104
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d5756ce06fa61c126c91f1c499ccc48222ac221167fa51d82d8546e490f2688e/
Threat name:
ByteCode-MSIL.Backdoor.LightStone
Create hunting rule
Status:
Malicious
First seen:
2021-07-18 18:43:51 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2v2wzydpuyobe3er6hcjttgeqirkyiqrm75fdwbnqvdojehsncha._file
Verdict:
malicious
Similar samples:
1586be1a8d88a8593cb0d5ed7f779fc672a0e58c4d5b385dc926469af9163a85
DCRat
23c9fe013be7bed47c421bb84e272c492787dc16d773596263d4f25f638d8e6f
DCRat
2c3c8728fe2ac3281be62eb64c5b515ce4fbd72cebe590e619c3d6337c0d8326
DCRat
346b769168c5fc8865428098350048f6e604a7a7bd5846bf03d99e4244663706
DCRat
58a7160bc9c6b737602ae6560a308cc5a824807f6ba4fb61efc5d5bb0c41ff91
DCRat
8a5bec4293f13f84bbbcf619299eff545fe08f3276d9530381abd41d31a60300
DCRat
bb55fcf1625411295d87059f3116db4109ef0783504fbce9c5eca05ef72d45e0
DCRat
c73fd1810d771974cff5f436a14f76cb3cbeb442baf97f3553ba99cf118bc337
DCRat
d1cdb6b3145e1b6d65ef1d8f5864484678e0436b34d8c8e674471332c11b099e
DCRat
+ 3'184 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer persistence rat
Link:
https://tria.ge/reports/230105-fx5mlaed9t/
Behaviour
Creates scheduled task(s)
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in System32 directory
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
DCRat payload
DcRat
Modifies WinLogon for persistence
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2ef99c4c-d4be-477d-9100-c5a1abc36ce0
Unpacked files
SH256 hash:
d5756ce06fa61c126c91f1c499ccc48222ac221167fa51d82d8546e490f2688e
MD5 hash:
93f80e6943dae23ec3b7335ba4acb355
SHA1 hash:
42b79ad80b9bd7f3318d1086b9832106b2cadd49
Link:
https://www.unpac.me/results/ab2b5cd1-f2ee-470e-ba37-a54ebdd0ea45/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.50
Link:
https://yomi.yoroi.company/submissions/d5756ce06fa61c126c91f1c499ccc48222ac221167fa51d82d8546e490f2688e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/349536/

Comments