MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db6abd804f579744a973faec6dbbc1ae0bb69058b02e037f5955f4d39e15fe2e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db6abd804f579744a973faec6dbbc1ae0bb69058b02e037f5955f4d39e15fe2e
SHA3-384 hash: 6ec0d5a243f2405e8b4ff7c6d573fbee0f72494308c445119b0fd00c842da0b9cb4208b978c3f46eed9c571c6b54d73a
SHA1 hash: ba7ca2bfb8f945aaf6057cdaf173c2fc7f1658cb
MD5 hash: a7851c185524218526b5ab0703eefad7
humanhash: five-lake-nebraska-kentucky
File name:a7851c185524218526b5ab0703eefad7
Download: download sample
Signature DCRat
Create hunting rule
File size:7'632'896 bytes
First seen:2024-10-18 16:12:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 53ff33fd5198e78ab468db682bbdf2b7 (3 x LummaStealer, 2 x RedLineStealer, 2 x DCRat)
ssdeep 196608:7YYYmlFWx6415rAAmfgBZGEmEAOUCJ70:0YYm/o7frAAug6EEqJ70
TLSH T1A9763312F0FE0831D5332A350659C7B14A35B9228DC1B4EB5BAE2F3EDF606805BB5D66
TrID 32.2% (.EXE) Win64 Executable (generic) (10522/11/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4504/4/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter zbetcheckin
Tags:32 DCRat exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
450
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
a7851c185524218526b5ab0703eefad7
Verdict:
Malicious activity
Analysis date:
2024-10-18 16:13:51 UTC
Tags:
dcrat netreactor wmi-base64 susp-powershell miner silentcryptominer rat remote darkcrystal exfiltration
Link:
https://app.any.run/tasks/a3bb3e6c-c229-4bcb-9c0c-d3024a1bd224

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Jaik-10036454-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6712891034f884d15c8cc86d
Tags:
Powershell Autorun Cobalt
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint lolbin microsoft_visual_cc packed packed packer_detected shell32
Link:
https://www.filescan.io/uploads/671289105c4ea75bc80afa87/reports/a3d38c5f-30c9-4e41-b9d3-9770e3ea752a/overview
Verdict:
Malicious
Labled as:
Midie.Generic
Link:
https://www.hybrid-analysis.com/sample/db6abd804f579744a973faec6dbbc1ae0bb69058b02e037f5955f4d39e15fe2e
Result
Verdict:
MALICIOUS
Malware family:
XMRig Miner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/387f9891-c55f-4f03-a858-5910be16f3b9
Result
Threat name:
DCRat, PureLog Stealer, Xmrig, zgRAT
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1537271
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus detection for dropped file
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Found direct / indirect Syscall (likely to bypass EDR)
Infects executable files (exe, dll, sys, html)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Sigma detected: Disable power options
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: System File Execution Location Anomaly
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses powercfg.exe to modify the power settings
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected Xmrig cryptocurrency miner
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1537271 Sample: A5jfl43XHt.exe Startdate: 18/10/2024 Architecture: WINDOWS Score: 100 90 Suricata IDS alerts for network traffic 2->90 92 Antivirus detection for dropped file 2->92 94 Multi AV Scanner detection for dropped file 2->94 96 18 other signatures 2->96 8 A5jfl43XHt.exe 3 2->8         started        11 sihost.exe 2->11         started        15 winlogon.exe 2->15         started        17 5 other processes 2->17 process3 dnsIp4 74 C:\Users\user\AppData\...\Rh1fxCF1qc.exe, PE32+ 8->74 dropped 76 C:\Users\user\AppData\...\PJjJpXycFy.exe, PE32 8->76 dropped 19 PJjJpXycFy.exe 9 26 8->19         started        23 Rh1fxCF1qc.exe 1 2 8->23         started        88 89.110.93.210, 49733, 49736, 49737 RECONNRU Ukraine 11->88 78 C:\Users\user\Desktop\uapIEleL.log, PE32 11->78 dropped 80 C:\Users\user\Desktop\aICckgUv.log, PE32 11->80 dropped 82 C:\Users\user\Desktop\WDdLtOLF.log, PE32 11->82 dropped 84 C:\Users\user\Desktop\DIIYoOjs.log, PE32 11->84 dropped 126 Tries to harvest and steal browser information (history, passwords, etc) 11->126 128 Found direct / indirect Syscall (likely to bypass EDR) 11->128 130 Antivirus detection for dropped file 15->130 132 Multi AV Scanner detection for dropped file 15->132 134 Machine Learning detection for dropped file 15->134 file5 signatures6 process7 file8 62 C:\Windows\Setup\State62LJKGeYoboiZoPQ.exe, PE32 19->62 dropped 64 C:\Users\user\Desktop\ussrZEku.log, PE32 19->64 dropped 66 C:\Users\user\Desktop\rkviDmqy.log, PE32 19->66 dropped 72 8 other malicious files 19->72 dropped 98 Antivirus detection for dropped file 19->98 100 Multi AV Scanner detection for dropped file 19->100 102 Creates an undocumented autostart registry key 19->102 110 5 other signatures 19->110 25 cmd.exe 19->25         started        28 csc.exe 4 19->28         started        31 powershell.exe 23 19->31         started        39 4 other processes 19->39 68 C:\ProgramData\...\WindowsAutHost, PE32+ 23->68 dropped 70 C:\Windows\System32\drivers\etc\hosts, ASCII 23->70 dropped 104 Uses ping.exe to sleep 23->104 106 Uses powercfg.exe to modify the power settings 23->106 108 Modifies the context of a thread in another process (thread injection) 23->108 112 2 other signatures 23->112 33 powershell.exe 23->33         started        35 cmd.exe 23->35         started        37 sc.exe 23->37         started        41 5 other processes 23->41 signatures9 process10 file11 114 Uses ping.exe to sleep 25->114 116 Uses ping.exe to check the status of other devices and networks 25->116 43 NLJKGeYoboiZoPQ.exe 25->43         started        52 3 other processes 25->52 86 C:\Windows\...\SecurityHealthSystray.exe, PE32 28->86 dropped 118 Infects executable files (exe, dll, sys, html) 28->118 54 2 other processes 28->54 120 Loading BitLocker PowerShell Module 31->120 46 conhost.exe 31->46         started        48 conhost.exe 33->48         started        56 2 other processes 35->56 50 conhost.exe 37->50         started        58 4 other processes 39->58 60 4 other processes 41->60 signatures12 process13 signatures14 122 Multi AV Scanner detection for dropped file 43->122 124 Found direct / indirect Syscall (likely to bypass EDR) 43->124
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/db6abd804f579744a973faec6dbbc1ae0bb69058b02e037f5955f4d39e15fe2e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/db6abd804f579744a973faec6dbbc1ae0bb69058b02e037f5955f4d39e15fe2e/
Threat name:
Win32.Trojan.Whispergate
Create hunting rule
Status:
Malicious
First seen:
2024-10-11 23:45:50 UTC
File Type:
PE (Exe)
AV detection:
31 of 38 (81.58%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3nvl3acpk6lujklt7lwg3o6bvyf3necywaxag72zkx2nhhqv7yxa._file
Verdict:
malicious
Label(s):
r77
Create hunting rule
r77_core
Create hunting rule
Similar samples:
error
DCRat
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery evasion execution persistence spyware stealer
Link:
https://tria.ge/reports/241018-tn3crswcrg/
Behaviour
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Power Settings
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Indicator Removal: Clear Windows Event Logs
Loads dropped DLL
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Drops file in Drivers directory
Sets service image path in registry
Stops running service(s)
Modifies WinLogon for persistence
Modifies security service
Process spawned unexpected child process
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9aae0371-7781-4e45-820f-7e2a7e6f01b9
Unpacked files
SH256 hash:
2b93377ea087225820a9f8e4f331005a0c600d557242366f06e0c1eae003d669
MD5 hash:
d8bf2a0481c0a17a634d066a711c12e9
SHA1 hash:
7cc01a58831ed109f85b64fe4920278cedf3e38d
Link:
https://www.unpac.me/results/c36bfac4-b415-423c-af16-602ec3c8728b/
SH256 hash:
7c95d3b38114e7e4126cb63aadaf80085ed5461ab0868d2365dd6a18c946ea3a
MD5 hash:
e9ce850db4350471a62cc24acb83e859
SHA1 hash:
55cdf06c2ce88bbd94acde82f3fea0d368e7ddc6
Link:
https://www.unpac.me/results/c36bfac4-b415-423c-af16-602ec3c8728b/
SH256 hash:
f4e8ac39aa69ebe09c0a00d71729f5bcf9ca74f835fbffc385e339faa07d1c85
MD5 hash:
92fc1366f46eb9f4ba3748ab10fd538a
SHA1 hash:
9c1c032787d45624ebe6e38e56965cab7b00ca19
Detections:
INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/c36bfac4-b415-423c-af16-602ec3c8728b/
Parent samples :
62c3e411841d0ddf28d849f32122c253d497412ae714c37565cec5804f6f0ffd
db6abd804f579744a973faec6dbbc1ae0bb69058b02e037f5955f4d39e15fe2e
SH256 hash:
7cb8f7832925d01076d8d3669a58d1a023ba539b8592011dcad8d46b29994236
MD5 hash:
7971d98160e83a68a9af259c402cfb10
SHA1 hash:
3a53dc1d8601e23833e95f3e3f5d366d9f81cac3
Link:
https://www.unpac.me/results/c36bfac4-b415-423c-af16-602ec3c8728b/
SH256 hash:
db6abd804f579744a973faec6dbbc1ae0bb69058b02e037f5955f4d39e15fe2e
MD5 hash:
a7851c185524218526b5ab0703eefad7
SHA1 hash:
ba7ca2bfb8f945aaf6057cdaf173c2fc7f1658cb
Link:
https://www.unpac.me/results/c36bfac4-b415-423c-af16-602ec3c8728b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/db6abd804f57/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/db6abd804f579744a973faec6dbbc1ae0bb69058b02e037f5955f4d39e15fe2e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe db6abd804f579744a973faec6dbbc1ae0bb69058b02e037f5955f4d39e15fe2e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3241623/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW

Comments


Avatar
zbet commented on 2024-10-18 16:12:39 UTC

url : hxxp://217.196.107.140/uploads/670922ee78600_joined.exe