MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e215f93c2db06939381c153fcccb67c78ff04a15dc450d5097588f285b23c882. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e215f93c2db06939381c153fcccb67c78ff04a15dc450d5097588f285b23c882
SHA3-384 hash: 88986a1c884cb719e4238aef1dd1ccd550be34969b0710f813ee232256ec3707c8cba0f424486563878784f08a89c617
SHA1 hash: ce59df7299ce8084f763af956628af70fd828f00
MD5 hash: 5a4766c996bb6586eef8c9b95c6ed582
humanhash: zulu-oven-two-harry
File name:5a4766c996bb6586eef8c9b95c6ed582
Download: download sample
Signature DCRat
Create hunting rule
File size:2'281'984 bytes
First seen:2022-01-01 17:31:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash baa93d47220682c04d92f7797d9224ce (139 x RiseProStealer, 26 x Xtrat, 18 x CoinMiner)
ssdeep 49152:onWsrXfdZPIzMqbR3wskaiSUCfR13jFkjKpCF2MT:o3PzG5R3t/UCf7jFkjKpE2MT
Threatray 28 similar samples on MalwareBazaar
TLSH T1B7B53311BF4E37B2C0ABB9F687AF412FD967A0892060E314C175B33FC64B76B1249496
Reporter zbetcheckin
Tags:32 DCRat exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
266
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5a4766c996bb6586eef8c9b95c6ed582
Verdict:
Malicious activity
Analysis date:
2022-01-01 17:35:21 UTC
Tags:
trojan rat backdoor dcrat stealer
Link:
https://app.any.run/tasks/3edc65a6-5b38-4b93-8176-e3704c5f1bea

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/217013/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop19.21919.17347.29242.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Searching for analyzing tools
Searching for the window
Creating a file
Using the Windows Management Instrumentation requests
Launching a process
Creating a file in the Program Files subdirectories
Creating a file in the Windows subdirectories
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Sending a UDP request
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
packed
Link:
https://www.filescan.io/uploads/61d09015ec6c6c14a903931b/reports/c8d6f239-a688-4c58-8b6b-072b36b67609/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5a593689-ef79-441f-99d4-8d420ada261a
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/914492
Signature
Connects to a pastebin service (likely for C&C)
Creates files inside the volume driver (system volume information)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 546970 Sample: aTEuNvR5p8 Startdate: 01/01/2022 Architecture: WINDOWS Score: 100 45 Found malware configuration 2->45 47 Multi AV Scanner detection for dropped file 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 12 other signatures 2->51 8 aTEuNvR5p8.exe 6 20 2->8         started        12 qmSPtcOPXahldfWoQDCxnTqCt.exe 15 15 2->12         started        15 qmSPtcOPXahldfWoQDCxnTqCt.exe 3 2->15         started        17 4 other processes 2->17 process3 dnsIp4 31 C:\Windows\...\qmSPtcOPXahldfWoQDCxnTqCt.exe, PE32 8->31 dropped 33 C:\Windows\SysWOW64\write\RuntimeBroker.exe, PE32 8->33 dropped 35 C:\Windows\SysWOW64\...\RuntimeBroker.exe, PE32 8->35 dropped 37 4 other malicious files 8->37 dropped 63 Detected unpacking (changes PE section rights) 8->63 65 Creates files inside the volume driver (system volume information) 8->65 67 Tries to evade analysis by execution special instruction which cause usermode exception 8->67 75 2 other signatures 8->75 19 cmd.exe 1 8->19         started        39 82.146.43.67, 49744, 49745, 49748 THEFIRST-ASRU Russian Federation 12->39 41 pastebin.com 104.23.99.190, 443, 49743 CLOUDFLARENETUS United States 12->41 43 192.168.2.1 unknown unknown 12->43 69 Tries to harvest and steal browser information (history, passwords, etc) 12->69 71 Hides threads from debuggers 12->71 73 Tries to detect sandboxes / dynamic malware analysis system (registry check) 12->73 file5 signatures6 process7 signatures8 53 Drops executables to the windows directory (C:\Windows) and starts them 19->53 22 RuntimeBroker.exe 3 19->22         started        25 w32tm.exe 1 19->25         started        27 conhost.exe 19->27         started        process9 signatures10 55 Multi AV Scanner detection for dropped file 22->55 57 Detected unpacking (changes PE section rights) 22->57 59 Tries to detect sandboxes and other dynamic analysis tools (window names) 22->59 61 4 other signatures 22->61 29 w32tm.exe 1 25->29         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e215f93c2db06939381c153fcccb67c78ff04a15dc450d5097588f285b23c882/
Threat name:
Win32.Backdoor.LightStone
Create hunting rule
Status:
Malicious
First seen:
2021-12-31 18:45:06 UTC
File Type:
PE (Exe)
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
229e27d75b86582a1c728de0898c3a8193f463db7b07176ac6cde7bbc8e9883a
DCRat
5d843a991e50d5cb0b420c0416b855aea512a3f7296a0964d1ccd224f3ac8718
DCRat
63a8a847683b777e6d6143a1c886a2d38bd68ab632826115763db3b214d1e127
DCRat
657aa81665835f9c9ebe28e9a54c583e123498fd1284511ed95568b7d0597a55
DCRat
7c793c742aff570a9052b1a2f559b781c70342678ad6582a42c6cc47260da425
DCRat
877c0c4537bce1b5e8730eaa12cb2ffbb0ad17067e7dcfd2b89c4985f33e4f17
DCRat
94b9abbe10bd9d6abcb8dce27814992bf7a09ed416c66998bd3496bda1490713
DCRat
b4373e36a5aa7a4ed214da50dc54d3f89503f2cff576d5523b51f1dab202b048
DCRat
d33a4d3ac76095145e6061009fc20432b5c2c6ec4a828c7b6956ea5f072f2c34
DCRat
f87ed79fbb1a2228c97fb59127eade39c4f8218fa28ddd76b50da177d81438e3
DCRat
+ 18 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence spyware stealer suricata
Link:
https://tria.ge/reports/220101-v4ahcsgcfl/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Identifies Wine through registry keys
Reads user/profile data of web browsers
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Process spawned unexpected child process
suricata: ET MALWARE DCRAT Activity (GET)
Unpacked files
SH256 hash:
e215f93c2db06939381c153fcccb67c78ff04a15dc450d5097588f285b23c882
MD5 hash:
5a4766c996bb6586eef8c9b95c6ed582
SHA1 hash:
ce59df7299ce8084f763af956628af70fd828f00
Link:
https://www.unpac.me/results/575e8ae6-c116-40d2-8605-a2026a242f6d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/e215f93c2db06939381c153fcccb67c78ff04a15dc450d5097588f285b23c882

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe e215f93c2db06939381c153fcccb67c78ff04a15dc450d5097588f285b23c882

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1941601/
Cape
Cape
https://www.capesandbox.com/analysis/217013/

Comments


Avatar
zbet commented on 2022-01-01 17:31:44 UTC

url : hxxp://data-host-coin-8.com/files/1655_1640976736_6896.exe