MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea07ac0be9b5d757b3d6eab704606fb022770451be04c729af03f3a0941d3fc8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea07ac0be9b5d757b3d6eab704606fb022770451be04c729af03f3a0941d3fc8
SHA3-384 hash: 9836131df75d31319ef4d5bc86d9af32d1b3a6cf8b8b1b21357de353f993d68428ecd044494cb8aa62b48403ce36392c
SHA1 hash: 5add2c61afcef935b6a63bf4ced694a6975f2d00
MD5 hash: a257ea9730cbbaf7b4bb364e92821595
humanhash: music-march-glucose-maine
File name:a257ea9730cbbaf7b4bb364e92821595.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:459'264 bytes
First seen:2021-08-02 06:00:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f326f88ca83c9aacaa44acfb8884f1d4 (8 x RedLineStealer, 4 x DCRat, 2 x CoinMiner)
ssdeep 12288:G5oaqjp/9Tk3DPcElx5Lr6k4D6LhkCyMfvM7ueGZjmVK1I:G5v4DTk3DPcElxhr6k42kCyUvMynjgF
Threatray 189 similar samples on MalwareBazaar
TLSH T107A4E057B2D02199D7F582B6D5920746E7B130361B24A3DB2BB913B72B1B9C69F3C380
Reporter abuse_ch
Tags:DCRat exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
554
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a257ea9730cbbaf7b4bb364e92821595.exe
Verdict:
No threats detected
Analysis date:
2021-08-02 06:03:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/598d3a39-ade2-4dd6-b6fc-9c4d01eb6a39

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175689/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.33822938.14445.490.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process from a recently created file
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/36ac2b5e-334c-4212-9a44-ac06df0a1b15
Result
Threat name:
DCRat Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/825283
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Disables security and backup related services
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Schedule system process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses schtasks.exe or at.exe to add and modify task schedules
Wscript starts Powershell (via cmd or directly)
Yara detected BatToExe compiled binary
Yara detected DCRat
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 457693 Sample: TusisaehJA.exe Startdate: 02/08/2021 Architecture: WINDOWS Score: 100 118 45.137.190.236, 49752, 49753, 49754 BITWEB-ASRU Russian Federation 2->118 132 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->132 134 Antivirus detection for dropped file 2->134 136 Multi AV Scanner detection for dropped file 2->136 138 8 other signatures 2->138 11 TusisaehJA.exe 9 2->11         started        14 svchost.exe 1 2->14         started        16 svchost.exe 2->16         started        signatures3 process4 file5 116 C:\Users\user\AppData\Local\Temp\...\extd.exe, PE32+ 11->116 dropped 18 cmd.exe 3 11->18         started        21 conhost.exe 11->21         started        process6 signatures7 124 Wscript starts Powershell (via cmd or directly) 18->124 126 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 18->126 128 Uses schtasks.exe or at.exe to add and modify task schedules 18->128 130 Adds a directory exclusion to Windows Defender 18->130 23 vbn.exe 18->23         started        27 welldone.exe 2 4 18->27         started        29 zxc.exe 1 18 18->29         started        31 7 other processes 18->31 process8 dnsIp9 98 C:\...\WinruntimedhcpNetcommon.exe, PE32 23->98 dropped 100 C:\Winruntimedhcp\VJt8Zy0BQ8pAy.bat, ASCII 23->100 dropped 162 Multi AV Scanner detection for dropped file 23->162 164 Machine Learning detection for dropped file 23->164 34 wscript.exe 23->34         started        102 C:\Users\user\AppData\...\MicrosoftApi.exe, PE32+ 27->102 dropped 166 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 27->166 38 MicrosoftApi.exe 1 5 27->38         started        104 C:\Windows\Client.exe, PE32 29->104 dropped 106 C:\Users\user\AppData\Local\...\nsProcess.dll, PE32 29->106 dropped 108 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 29->108 dropped 168 Disables security and backup related services 29->168 41 cmd.exe 29->41         started        43 cmd.exe 1 29->43         started        45 cmd.exe 29->45         started        47 2 other processes 29->47 122 cdn.discordapp.com 162.159.133.233, 443, 49734, 49736 CLOUDFLARENETUS United States 31->122 110 C:\Users\user\AppData\Local\Temp\...\zxc.exe, PE32 31->110 dropped 112 C:\Users\user\AppData\Local\...\welldone.exe, PE32+ 31->112 dropped 114 C:\Users\user\AppData\Local\Temp\...\vbn.exe, PE32 31->114 dropped file10 signatures11 process12 dnsIp13 120 192.168.2.1 unknown unknown 34->120 140 Wscript starts Powershell (via cmd or directly) 34->140 49 cmd.exe 34->49         started        96 C:\Users\user\AppData\...\tmpD5B5.tmp.cmd, DOS 38->96 dropped 142 Multi AV Scanner detection for dropped file 38->142 144 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 38->144 146 Machine Learning detection for dropped file 38->146 51 cmd.exe 38->51         started        54 cmd.exe 38->54         started        56 sc.exe 41->56         started        58 conhost.exe 41->58         started        60 net.exe 1 43->60         started        62 conhost.exe 43->62         started        64 2 other processes 45->64 66 4 other processes 47->66 file14 signatures15 process16 signatures17 68 WinruntimedhcpNetcommon.exe 49->68         started        72 conhost.exe 49->72         started        148 Wscript starts Powershell (via cmd or directly) 51->148 150 Adds a directory exclusion to Windows Defender 51->150 74 conhost.exe 51->74         started        76 timeout.exe 51->76         started        78 powershell.exe 51->78         started        80 conhost.exe 54->80         started        86 2 other processes 54->86 152 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 56->152 82 net1.exe 1 60->82         started        84 net1.exe 64->84         started        process18 file19 88 C:\Windows\addins\FxQIFwrfOWmVNqAC.exe, PE32 68->88 dropped 90 C:\Users\Default\ShellExperienceHost.exe, PE32 68->90 dropped 92 C:\Users\Default\AppData\...\conhost.exe, PE32 68->92 dropped 94 2 other malicious files 68->94 dropped 154 Machine Learning detection for dropped file 68->154 156 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 68->156 158 Drops executable to a common third party application directory 68->158 160 Hides that the sample has been downloaded from the Internet (zone.identifier) 68->160 signatures20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ea07ac0be9b5d757b3d6eab704606fb022770451be04c729af03f3a0941d3fc8/
Threat name:
Win64.Exploit.BypassUac
Create hunting rule
Status:
Malicious
First seen:
2021-08-01 22:05:13 UTC
AV detection:
15 of 46 (32.61%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1d928c0f640e731208adc0736aca791af0ba7e7dfdad0800d9de2fc968ef0010
DCRat
5f2846d5daa6e5781427feb62144502ff1522b8250eadbfb7aa3602d04eac1fb
DCRat
6da210965cd769856bbcb8bb501abf25c832f0f6a70e73240436629ce6362fa9
DCRat
9cc0cf19e63fbf43ed381c94967a1c52a606452657cc05c17b27a1a07e2c5607
DCRat
c1f1b8f358e98ae14b424dd8d57e022b8dc68c7c5f14a8d3dea8f1e66601f351
DCRat
c44f4f19f854e3a7312d262f8225024d3eb235fc580f4175ab923a4acd0231ff
DCRat
dcaf58a74327239aff106eb7da1f06a9ad9bceeaad4e8a08496fa75f744e8f55
DCRat
+ 179 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
suricata upx
Link:
https://tria.ge/reports/210802-7tk3jy3fc2/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
suricata: ET MALWARE Generic gate[.].php GET with minimal headers
suricata: ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad
Unpacked files
SH256 hash:
ea07ac0be9b5d757b3d6eab704606fb022770451be04c729af03f3a0941d3fc8
MD5 hash:
a257ea9730cbbaf7b4bb364e92821595
SHA1 hash:
5add2c61afcef935b6a63bf4ced694a6975f2d00
Link:
https://www.unpac.me/results/fb0f008d-0b8c-46a9-ac9c-ecf3d048acb4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ea07ac0be9b5d757b3d6eab704606fb022770451be04c729af03f3a0941d3fc8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe ea07ac0be9b5d757b3d6eab704606fb022770451be04c729af03f3a0941d3fc8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1493960/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/175689/

Comments