MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e490ab9b5bac69d461cc60d1a3fcb451a5c33a46111e0f946d727b4e893d133e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e490ab9b5bac69d461cc60d1a3fcb451a5c33a46111e0f946d727b4e893d133e
SHA3-384 hash: 8ba1ce36cef85dd2f4868732f6d60a09b43fd80a4e910a49f1d3dd30e080b8841504aec1c2c99c4e7f5ac0ad9a5ab994
SHA1 hash: 652ee90fa166c445f2e825da23505d7a9d62f342
MD5 hash: 122f1b4d55dbf1a630dfdb4b99d5ad7f
humanhash: autumn-oranges-missouri-princess
File name:file
Download: download sample
Signature DCRat
Create hunting rule
File size:2'969'328 bytes
First seen:2023-10-25 13:33:52 UTC
Last seen:2023-10-28 13:34:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f6baa5eaa8231d4fe8e922a2e6d240ea (37 x CoinMiner, 22 x DCRat, 15 x LummaStealer)
ssdeep 49152:7D58Z6xWKO99CqBO71MHSRNKiLLY2bnKljn9BfgsltE18JbSIQ/8+XiX1:7D58AO99CqE70SRNK2Rro9BtTEOMVXiF
Threatray 391 similar samples on MalwareBazaar
TLSH T1FED533417AD4C838F16E8D72C9C7AAA355F2BDA8232699C7E795380F01763C41B386F5
TrID 43.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
27.6% (.EXE) Win64 Executable (generic) (10523/12/4)
13.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) OS/2 Executable (generic) (2029/13)
5.2% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon ecd8dcccded6c4c4 (1 x DanaBot, 1 x RemcosRAT, 1 x DCRat)
Reporter andretavare5
Tags:DCRat exe signed

Code Signing Certificate

Organisation:Microsoft
Issuer:Microsoft
Algorithm:sha256WithRSAEncryption
Valid from:2023-10-15T00:00:00Z
Valid to:2025-10-15T00:00:00Z
Serial number: 09d1020c654d4f86
Intelligence: 6 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 4978d4661810df6b8fd8c1be5e039968b6381c52a017314abfe5af455e97474b
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from https://vk.com/doc828689496_665530007?hash=7bsm3RrvbpDttQzC0kALZu2dhQhovufNjz0scExi2mT&dl=01BwpdOYZ95MHhJnOBeOQYSzenXBZz80E9kNYKpKG8z&api=1&no_preview=1#s6

Intelligence

File Origin
# of uploads :
31
# of downloads :
363
Origin country :
US US
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-10-25 13:35:17 UTC
Tags:
rat backdoor dcrat remote stealer
Link:
https://app.any.run/tasks/5932fd7a-b6b5-4f9a-9896-4c66e412b37d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/456291/
Detection(s):
Win.Keylogger.Gencbl-9969771-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Loading a suspicious library
Sending a custom TCP request
Sending a UDP request
Connecting to a non-recommended domain
Sending an HTTP POST request
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Searching for the window
Creating a window
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Moving a file to the %temp% subdirectory
Creating a process from a recently created file
Replacing files
Creating a file
Unauthorized injection to a recently created process
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
89%
Tags:
installer keylogger lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/6539194b72356e4f29e6b467/reports/fe53f17f-9017-47bd-9af1-dd6351affa15/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/e490ab9b5bac69d461cc60d1a3fcb451a5c33a46111e0f946d727b4e893d133e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/9d42f417-315b-4830-9193-991640ea9915
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1331907
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to register a low level keyboard hook
Drops password protected ZIP file
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1331907 Sample: file.exe Startdate: 25/10/2023 Architecture: WINDOWS Score: 100 66 Snort IDS alert for network traffic 2->66 68 Antivirus detection for URL or domain 2->68 70 Antivirus detection for dropped file 2->70 72 5 other signatures 2->72 9 file.exe 8 2->9         started        process3 file4 50 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32+ 9->50 dropped 52 C:\Users\user\AppData\Local\Temp\...\7z.dll, PE32+ 9->52 dropped 74 Contains functionality to register a low level keyboard hook 9->74 13 cmd.exe 2 9->13         started        signatures5 process6 signatures7 78 Uses ping.exe to sleep 13->78 80 Uses ping.exe to check the status of other devices and networks 13->80 16 BrowserDriver.exe 4 21 13->16         started        20 7z.exe 2 13->20         started        22 7z.exe 3 13->22         started        24 10 other processes 13->24 process8 file9 40 C:\Users\user\Desktop\veWPTbBV.log, PE32 16->40 dropped 42 C:\Users\user\Desktop\scjgyswa.log, PE32 16->42 dropped 44 C:\Users\user\Desktop\WZRkXZbS.log, PE32 16->44 dropped 48 7 other malicious files 16->48 dropped 64 Found many strings related to Crypto-Wallets (likely being stolen) 16->64 26 cmd.exe 1 16->26         started        46 C:\Users\user\AppData\...\BrowserDriver.exe, PE32 20->46 dropped signatures10 process11 signatures12 76 Uses ping.exe to sleep 26->76 29 smartscreen.exe 7 501 26->29         started        34 conhost.exe 26->34         started        36 PING.EXE 1 26->36         started        38 chcp.com 1 26->38         started        process13 dnsIp14 62 77.91.124.41, 49718, 49719, 49722 ECOTEL-ASRU Russian Federation 29->62 54 C:\Users\user\Desktop\ykPXlgJm.log, PE32 29->54 dropped 56 C:\Users\user\Desktop\wZsWlOel.log, PE32 29->56 dropped 58 C:\Users\user\Desktop\nwkhBUOE.log, PE32 29->58 dropped 60 2 other malicious files 29->60 dropped 82 Found many strings related to Crypto-Wallets (likely being stolen) 29->82 84 Tries to harvest and steal browser information (history, passwords, etc) 29->84 file15 signatures16
Score:
66%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/e490ab9b5bac69d461cc60d1a3fcb451a5c33a46111e0f946d727b4e893d133e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e490ab9b5bac69d461cc60d1a3fcb451a5c33a46111e0f946d727b4e893d133e/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-10-25 13:34:05 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
5 of 23 (21.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4sikxg23vru5iyommdi2h7fukgs4gosgcepa7fdnoj5u5cj5cm7a._file
Verdict:
malicious
Similar samples:
2767d4128fc88d587b6681fcff44a8694833e95da510eca60750540e42f2e418
DCRat
35b70fc462fe02d507a58c2b5a33ddd5e26aadc7ac8fe3beae2a82666c8b17c6
DCRat
4420d56e7d9699dc1962cb5504cd177d428aa1e2bfb96a77dfa455947d712cfe
DCRat
4d689288fda075e937a5bc00afd4b2fb077d5aef8ac767fb415f8b7df31fadd6
DCRat
7ca339f9bf73ef302951d7ea7ef6089ab670c82e98837b8c684a2591c611b6fd
DCRat
86f5b4f32c68f9337a19363da77d77b6275923da37d2e4144b8f0740620fd3ac
DCRat
ac660e725f1484dfe6b6d4f8606a4711fd9354c2bf8d5d4f63bad03c39849894
DCRat
ae68aa627df4a3fd10e5416195e29203ea60227560f3e1de22fb907e86c369ad
DCRat
cdffe175d69a7b4c7fb9e7fa2aef3f266ce8af7d03d3859ec5b3f82cb72c9797
DCRat
f53626ef5370de09cfbc55c497ff9058066f3c5a18d9caead5ee4c594e2fb57a
DCRat
+ 381 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/231025-qt3zpshh3v/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
26f177b3c07dba840d9775e8cf855b6c741322bdf5e76a5b0196cba6c2631fe1
MD5 hash:
c62edf53fe1e7ead87935902a9367c07
SHA1 hash:
5da3febe254cb198c9daff0b950f1544bf014d04
Link:
https://www.unpac.me/results/a7cffaa0-d048-4a3b-be61-1e76b08728f3/
SH256 hash:
e490ab9b5bac69d461cc60d1a3fcb451a5c33a46111e0f946d727b4e893d133e
MD5 hash:
122f1b4d55dbf1a630dfdb4b99d5ad7f
SHA1 hash:
652ee90fa166c445f2e825da23505d7a9d62f342
Link:
https://www.unpac.me/results/a7cffaa0-d048-4a3b-be61-1e76b08728f3/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e490ab9b5bac/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e490ab9b5bac69d461cc60d1a3fcb451a5c33a46111e0f946d727b4e893d133e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/456291/

Comments