MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e0abb4fa147097a4fb1758ed20b7d1a54f020d0de2d8144a2beaec404acb4d4c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e0abb4fa147097a4fb1758ed20b7d1a54f020d0de2d8144a2beaec404acb4d4c
SHA3-384 hash: 2420889a7e56efddab698c60a9eae5e9797a3db2bdc3e2664f93530985f81ca202704315012161d793c1c82a63d4e8de
SHA1 hash: 595a5c2d50e0675fb2a35f8f01aec12c3bb03b3b
MD5 hash: b1c1d5a5a79f7dcc878b3648a0bcb0c6
humanhash: gee-robert-cold-victor
File name:b1c1d5a5a79f7dcc878b3648a0bcb0c6
Download: download sample
Signature DCRat
Create hunting rule
File size:2'179'584 bytes
First seen:2024-04-07 04:24:40 UTC
Last seen:2024-04-07 05:21:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 140094f13383e9ae168c4b35b6af3356 (32 x DCRat, 11 x CoinMiner, 10 x njrat)
ssdeep 49152:lS5Y0dPfBBpa1O/VZjTfcy2tyEGc0ng/5nH+VO7O0G:lSJBqU/HDctyJc0gZG
Threatray 422 similar samples on MalwareBazaar
TLSH T12CA53353DA547077CD4A427280E2BBE57781BB2F9D03C43465D3A8614A1CBABCAD373A
TrID 32.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.8% (.EXE) Win32 Executable (generic) (4504/4/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
Reporter zbetcheckin
Tags:32 DCRat exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
329
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e0abb4fa147097a4fb1758ed20b7d1a54f020d0de2d8144a2beaec404acb4d4c.exe
Verdict:
Malicious activity
Analysis date:
2024-04-07 04:26:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6c77b55e-c10f-499c-a117-a18b6ee03779

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Searching for the window
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Creating a file
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed packed peunion
Link:
https://www.filescan.io/uploads/661242f735699b4745bf324c/reports/283eb8a3-a73f-443d-bcb2-135a022481e0/overview
Verdict:
Malicious
Labled as:
ExNuma.Generic
Link:
https://www.hybrid-analysis.com/sample/e0abb4fa147097a4fb1758ed20b7d1a54f020d0de2d8144a2beaec404acb4d4c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/86cc6358-ba1b-4ade-9eb4-fce71f02c874
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1421479
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Disable UAC(promptonsecuredesktop)
Disables UAC (registry)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive USB information (via WMI, WIN32_USBHUB, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: System File Execution Location Anomaly
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic
Suspicious execution chain found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected DCRat
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1421479 Sample: joPS73cEOb.exe Startdate: 07/04/2024 Architecture: WINDOWS Score: 100 107 api.telegram.org 2->107 109 231.58.0.0.in-addr.arpa 2->109 111 4 other IPs or domains 2->111 139 Snort IDS alert for network traffic 2->139 141 Multi AV Scanner detection for domain / URL 2->141 143 Found malware configuration 2->143 147 21 other signatures 2->147 12 joPS73cEOb.exe 2 2->12         started        15 conhost.exe 2->15         started        17 conhost.exe 3 2->17         started        20 10 other processes 2->20 signatures3 145 Uses the Telegram API (likely for C&C communication) 107->145 process4 file5 105 C:\Users\user\AppData\...\ratizounfhoisef.exe, PE32 12->105 dropped 22 ratizounfhoisef.exe 3 10 12->22         started        26 cmd.exe 15->26         started        131 Antivirus detection for dropped file 17->131 133 Multi AV Scanner detection for dropped file 17->133 135 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->135 137 3 other signatures 17->137 28 cmd.exe 20->28         started        30 cmd.exe 20->30         started        signatures6 process7 file8 93 C:\Users\user\...\ProviderDriverNet.exe, PE32 22->93 dropped 95 C:\Users\...\JK6gmGek8xn8B6fPCdEqzuaHCz.vbe, data 22->95 dropped 151 Multi AV Scanner detection for dropped file 22->151 32 wscript.exe 1 22->32         started        35 conhost.exe 26->35         started        39 conhost.exe 26->39         started        41 conhost.exe 28->41         started        43 conhost.exe 28->43         started        45 conhost.exe 30->45         started        47 XfyIRXMZoOpVNepOmbRoC.exe 30->47         started        signatures9 process10 dnsIp11 121 Windows Scripting host queries suspicious COM object (likely to drop second stage) 32->121 123 Suspicious execution chain found 32->123 49 cmd.exe 1 32->49         started        113 api.telegram.org 149.154.167.220, 443, 49729, 49753 TELEGRAMRU United Kingdom 35->113 115 a0932621.xsph.ru 141.8.192.217, 49724, 49727, 49728 SPRINTHOSTRU Russian Federation 35->115 117 ipinfo.io 34.117.186.192, 443, 49726 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 35->117 87 041a46b62673aeef39...f597422e1423852.exe, PE32 35->87 dropped 89 a313d1fc-8d9a-483b-8be6-1f7ed2252158.vbs, ASCII 35->89 dropped 91 25a9ed77-d156-4ed0-8cf9-5b861c3c357d.vbs, ASCII 35->91 dropped 125 Protects its processes via BreakOnTermination flag 35->125 127 Tries to harvest and steal browser information (history, passwords, etc) 35->127 129 Tries to steal Crypto Currency Wallets 35->129 51 wscript.exe 35->51         started        54 wscript.exe 35->54         started        file12 signatures13 process14 signatures15 56 ProviderDriverNet.exe 19 14 49->56         started        61 conhost.exe 49->61         started        149 Windows Scripting host queries suspicious COM object (likely to drop second stage) 51->149 process16 dnsIp17 119 ip-api.com 208.95.112.1, 49699, 49700, 49703 TUT-ASUS United States 56->119 97 C:\Users\user\AppData\Roaming\...\RCXF481.tmp, PE32 56->97 dropped 99 C:\Users\user\AppData\Roaming\...\RCX9CBF.tmp, PE32 56->99 dropped 101 C:\Recovery\conhost.exe, PE32 56->101 dropped 103 6 other malicious files 56->103 dropped 153 Multi AV Scanner detection for dropped file 56->153 155 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 56->155 157 Creates an undocumented autostart registry key 56->157 159 7 other signatures 56->159 63 powershell.exe 56->63         started        65 powershell.exe 56->65         started        67 powershell.exe 56->67         started        69 11 other processes 56->69 file18 signatures19 process20 process21 71 conhost.exe 63->71         started        73 WmiPrvSE.exe 63->73         started        75 conhost.exe 65->75         started        77 conhost.exe 67->77         started        79 conhost.exe 69->79         started        81 conhost.exe 69->81         started        83 conhost.exe 69->83         started        85 6 other processes 69->85
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e0abb4fa147097a4fb1758ed20b7d1a54f020d0de2d8144a2beaec404acb4d4c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e0abb4fa147097a4fb1758ed20b7d1a54f020d0de2d8144a2beaec404acb4d4c/
Threat name:
Win32.Trojan.ExNuma
Create hunting rule
Status:
Malicious
First seen:
2024-03-29 18:58:50 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4cv3j6quocl2j6yxldwsbn6ruvhqedin4lmbisrl5lweaswljvga._file
Verdict:
malicious
Similar samples:
1a39cff5d5b0b550cd9b30f08c0e32430c2e1b92aecc663d4151789e54d13f64
DCRat
40e2af7feff476ac43edae054634e294c55e966e7139d77d0bcd98d49a228aab
DCRat
6eb5421bfa171c080165a6fd4a5d87db8f3118cf95669036d273cb16f24d566d
DCRat
7fed6406da8c6fac0504f899f2d88cf18c82b40d10d28e0651d851aa8113a13b
DCRat
e0abb4fa147097a4fb1758ed20b7d1a54f020d0de2d8144a2beaec404acb4d4c
DCRat
+ 412 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer rat
Link:
https://tria.ge/reports/240407-e1yg1sdd83/
Behaviour
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
DCRat payload
DcRat
Unpacked files
SH256 hash:
c09d7b1ecf9dd4917c8f081132ac5c533bc326959505d7364aa546d4822e5c9c
MD5 hash:
60b6a611559a27f113b51c76733f26d0
SHA1 hash:
6dc70a539f0d1c8b9a84edef26c2bdf82bbfa098
Link:
https://www.unpac.me/results/d5ba5d89-c9ef-40e7-8825-5e9a3d215237/
SH256 hash:
b11ad1adfa96eacf5f18cf87785884947a6d35a1baebf4f20f16402b04d5109f
MD5 hash:
89bf0f7e9adf290c6d571eccf79206a9
SHA1 hash:
65f95791234ff93bc3e35f1d35d7a6664872dc56
Detections:
win_xorist_auto
Create hunting rule
Link:
https://www.unpac.me/results/d5ba5d89-c9ef-40e7-8825-5e9a3d215237/
Parent samples :
d5775aecd2e8d149e2b9ba576ddc2db3624a974cafc8fc1df318226fc2c6d4b4
8e997bef9ad61722cb7b782da93b7373acd19dbdc4cb91b47e80280e2100b6a3
5ba1b028da2c0e52c38c7a55bf1e7952cc50c907576ec2f22b6a25d691dde2d6
be15d47389920ab9637eefc24bbf6c191607013a3d2608c1243a377aacb5d4ce
f027301d00c6bc4b1c87e5e3266775f395907fa04e2c768b7082381d60880f82
b1088573c2e783e97fb07ccf1d8d8e9372ccd8983cc07c7ee9c6989a3844b334
e5c9d1b6f77188c03e94713b41f00afc6d12e6f82daf3604d5f34c584c2389ff
45e1440acf3453915252d0d61ffcee6fd96170ccf2323c16178dfaaa186565f8
1a659b2d6922bd1ea186c53148094c26733368e9099ea037a83912c02a59d410
f733fbe95a7fe8a2c0ef459b05fed88b7a295de5e39c591bf62d3e0a5575e6fc
658b0a01404144b5da03574e2a05b6c02030baa2276b9e047174c6ccb3e8918d
cf4efad0b9d74151b09be4acfb12d1aea2a9e316b97a2eb7f4ca8ac12b0e6d8c
381bb149e04bec8f62336cdf3c81741c2c7a471f6dacc2f7835eb174643abad7
284f083103d1c160d9e4721ecce515646ce451a1b7ddf9dd89817904e21a4a2d
1a39cff5d5b0b550cd9b30f08c0e32430c2e1b92aecc663d4151789e54d13f64
1b881d8c3ba53e9b250de6d1118a27738fd8e88fd475e3e01afabd4e627f83a2
e0abb4fa147097a4fb1758ed20b7d1a54f020d0de2d8144a2beaec404acb4d4c
2ec983b4653f6a5ee028e9ecfa37d8cf2404a10e9691bb8ed39023be643ef55e
797bbd3d5e08ab4919540911ab6149be0c6f38de3659378bf38fc5ac01ccee48
4cc156f578777710f3ce0c217664b9830ddfcab407f0c6de0cae10d5501d1ca1
4d908524b238846077a6fb1df34be93ae926e13c15bb8ac5c45a8980ef4862ce
581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892
8ac5083f52da0ff312259331f65b326782803aa837a7b371a6d43a021b0c24c3
7816a1291d7c035b81b68f8e5f65e10f952beb2bf1ce9d125bfe9d44a378ee9f
e1a60229372db9d65dbadfe6db923edf3987ac9f908878491bd12497613324d8
41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5
ab71530434f64e6aa105732c42dbb5a409ac0aae4258b3c3e7db1a7d5914cc30
3b88fdeb5144b0f3a710b42cefa937e57aed28001acb82562229472ce258a124
70fbebc77d5f37a0ffd373be6ee9f218a5ea30b86e395e7212b850f0f6934b6f
294003b3626890da222c7aeb34f7ac71cec614026c686fd88df269cc175a0e8c
a6ca0d0f6c47f310778e8d3a82f96ce6b6e70e1248a17f73fda6dff59653b761
9e90c1219aac375230e375f3d641f6b1edb2968acb41d542528ad744714c9b35
1d6628a6cd66f3dd7f3377ee1c30e8a92cedb1d40f5a121b84e5ab84a0e19909
841eb644979b3c640761762645c9cd26f9bb46e558eaeb7bf0c2a79e761878f4
1b304c8a2ae4546bd7958c7f22becaf6b682a5c88b7a01945a952de991b0ef0b
693cf45b243073eeb5479f4b29ff36c417b858b042363cf1a53d7623504a6d29
f9fd2f63fb1b73be1e960ab5a6572aa6968279e56a95bb846fa7ea4110ab867c
5680eb1ffa1fac4f1c5a78024331ff7dd8982138d89d2df4ec56996b44c9cc99
48be2502fad84657b383c41b2616f34a029f9a39d63aae1a1714faf7ba79e3da
SH256 hash:
c6b76b9fba7b0694024473fdc37b6da8da9b83aff25c621eac0eaf1f57c6cecc
MD5 hash:
f3388d36878f3802e6976c16c018e32c
SHA1 hash:
0b97d3ba7a0385b79a02d9939595b1e3b008f68f
Link:
https://www.unpac.me/results/d5ba5d89-c9ef-40e7-8825-5e9a3d215237/
SH256 hash:
b7bd041c4c68a5debf92831ffa7ce911873577771e4b2161e654b4a6716de610
MD5 hash:
963611ab8d4c3fe3f9f501a79350d15b
SHA1 hash:
f416a19d2758aa93e30e09e1796e22cd88682325
Link:
https://www.unpac.me/results/d5ba5d89-c9ef-40e7-8825-5e9a3d215237/
SH256 hash:
e0abb4fa147097a4fb1758ed20b7d1a54f020d0de2d8144a2beaec404acb4d4c
MD5 hash:
b1c1d5a5a79f7dcc878b3648a0bcb0c6
SHA1 hash:
595a5c2d50e0675fb2a35f8f01aec12c3bb03b3b
Link:
https://www.unpac.me/results/d5ba5d89-c9ef-40e7-8825-5e9a3d215237/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e0abb4fa1470/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e0abb4fa147097a4fb1758ed20b7d1a54f020d0de2d8144a2beaec404acb4d4c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe e0abb4fa147097a4fb1758ed20b7d1a54f020d0de2d8144a2beaec404acb4d4c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2803429/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::VirtualAllocExNuma
kernel32.dll::CreateThread
WIN_BASE_USER_APIRetrieves Account Informationkernel32.dll::GetComputerNameA

Comments


Avatar
zbet commented on 2024-04-07 04:24:41 UTC

url : hxxp://a0932621.xsph.ru/linuxasync/080389b6ed5252ce01ad79d9415c648c3ad0a5e2.bin