MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6a9ba6b32b8bffc3b5b8107003960ecf142c380ec02c27b6e38a75f8e1b4ea9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DCRat

Vendor detections: 16

Intelligence 16 IOCs YARA 23 File information Comments

SHA256 hash:	e6a9ba6b32b8bffc3b5b8107003960ecf142c380ec02c27b6e38a75f8e1b4ea9
SHA3-384 hash:	4826193fef42a71440ecdd77a2add961ee57a8b8fb94a3c541ca3cd33415ea3c3f802ede82abd49a5b584b1f28479876
SHA1 hash:	2bdbb2584614fcd6ee538fba5705d9627fc75065
MD5 hash:	87a3818f4245b6f302305a2247fdbe05
humanhash:	grey-georgia-oregon-tennis
File name:	87A3818F4245B6F302305A2247FDBE05.exe
Download:	download sample
Signature	DCRat Create hunting rule
File size:	1'355'072 bytes
First seen:	2023-11-22 10:30:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2e5467cba76f44a088d39f78c5e807b6 (131 x DCRat, 112 x njrat, 79 x RedLineStealer)
ssdeep	24576:7pwzYaxXltrMIeX3Sk8fwRxhn277R/V7r6GjciJRd+Kmsa3A0Nmo5lf9xQaARf/u:7pwzL1pMIeX3SkKwbIXnGGTHdWBA4f1d
Threatray	229 similar samples on MalwareBazaar
TLSH	T16655333BBF32DA62D0C330BE52C40AE4C66DAB5A744E017D1C61949CB58A77C53CAED6
TrID	25.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 19.1% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.1% (.EXE) Win32 Executable (generic) (4505/5/1) 7.8% (.EXE) Win16/32 Executable Delphi generic (2072/23) 7.8% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	abuse_ch
Tags:	DCRat exe

abuse_ch

DCRat C2:
http://f0885664.xsph.ru/L1nc0In.php

Intelligence

File Origin

# of uploads :

# of downloads :

360

Origin country :

Vendor Threat Intelligence

Malware family:

dcrat

ID:

File name:

87A3818F4245B6F302305A2247FDBE05.exe

Verdict:

Malicious activity

Analysis date:

2023-11-22 10:32:50 UTC

Tags:

rat backdoor dcrat remote stealer

Link:

https://app.any.run/tasks/4a5405b6-8af8-4e1c-823e-ca762e15fa05

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

DCRat

Link:

https://www.capesandbox.com/analysis/459691/

Detection(s):

PUA.Win.Packer.EnigmaProtector-19

PUA.Win.Packer.EnigmaProtector-1

Win.Malware.Bladabindi-9837421-0

PUA.Win.Packer.EnigmaProtector-9852682-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a file

Using the Windows Management Instrumentation requests

Launching a process

Creating a file in the %temp% directory

Running batch commands

Creating a process with a hidden window

Sending a UDP request

Restart of the analyzed sample

Sending a custom TCP request

Creating a file in the Program Files subdirectories

Creating a file in the Windows subdirectories

Creating a process from a recently created file

Creating a window

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

89%

Tags:

bladabindi dcrat enigma lolbin overlay packed packed shell32

Link:

https://www.filescan.io/uploads/655dd866d2b047f24b863947/reports/a95ea8a5-8e96-4d75-96a1-353491b79b15/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/e6a9ba6b32b8bffc3b5b8107003960ecf142c380ec02c27b6e38a75f8e1b4ea9

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/02a1d501-4ea4-4511-8492-1e720e4e6e65

Result

Threat name:

DCRat

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1346359

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Creates processes via WMI

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Drops executable to a common third party application directory

Drops executables to the windows directory (C:\Windows) and starts them

Found malware configuration

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file has nameless sections

Sigma detected: Schedule system process

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected DCRat

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/e6a9ba6b32b8bffc3b5b8107003960ecf142c380ec02c27b6e38a75f8e1b4ea9

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e6a9ba6b32b8bffc3b5b8107003960ecf142c380ec02c27b6e38a75f8e1b4ea9/

Threat name:

Win32.Backdoor.Dcrat

Status:

Malicious

First seen:

2023-11-19 01:20:00 UTC

File Type:

PE (Exe)

AV detection:

24 of 37 (64.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=42u3u2zsxc77yo23qedqaola5tyufq4a5qbme63ohctv7dq3j2uq._file

Verdict:

malicious

DCRat

43fc7007823fa8f0e718a782ba2d85a5e63eb77a8efebc223e72d5671465e44f

DCRat

5574e0b5e404aa5bad86dd9aca033eb35421ec30dd91a9777bd6b053514010d7

DCRat

68f6d55f31e87cebb1b5c9ea96e9c770464f8d6a937dda00b5a7139f79240d7c

DCRat

84ae6fe4cd4f1357409af9eeea51b0ceb8385242c1e67b1f22a51a9475f3ce01

DCRat

992a54c553bf5b53990d181c24b9ba44b93bc9f02f5a3d42dbf4d1e1f57ead5f

DCRat

9eb993a0a54cb16395aced5282b948d7d154722fe052e3f9cb139a34f063f04f

DCRat

c972b96ab429eabe76e5416afe76c38232a2825899e9403c93cf5f681e8c05ba

DCRat

+ 219 additional samples on MalwareBazaar

Result

Malware family:

dcrat

Score:

10/10

Tags:

family:dcrat infostealer rat

Link:

https://tria.ge/reports/231122-mkc55scd5z/

Behaviour

Creates scheduled task(s)

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Enumerates physical storage devices

Drops file in Program Files directory

Drops file in Windows directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

DCRat payload

DcRat

Process spawned unexpected child process

Unpacked files

SH256 hash:

e6a9ba6b32b8bffc3b5b8107003960ecf142c380ec02c27b6e38a75f8e1b4ea9

MD5 hash:

87a3818f4245b6f302305a2247fdbe05

SHA1 hash:

2bdbb2584614fcd6ee538fba5705d9627fc75065

Link:

https://www.unpac.me/results/5661faaa-ed69-4d11-bc9e-5abffca44677/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e6a9ba6b32b8bffc3b5b8107003960ecf142c380ec02c27b6e38a75f8e1b4ea9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BobSoftMiniDelphiBoBBobSoft Create hunting rule
Author:	malware-lu

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	EnigmaProtector11X13XSukhovVladimirSergeNMarkin Create hunting rule
Author:	malware-lu

Rule name:	EnigmaStub Create hunting rule
Author:	@bartblaze
Description:	Identifies Enigma packer stub.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing bas64 encoded gzip files

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MALWARE_Win_DCRat Create hunting rule
Author:	ditekSHen
Description:	DCRat payload

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	Multifamily_RAT_Detection Create hunting rule
Author:	Lucas Acha (http://www.lukeacha.com)
Description:	Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/459691/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample