MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f071709c71c19d16da4a7d460f1559542e02954d0e714410d1c615b67ce22379. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f071709c71c19d16da4a7d460f1559542e02954d0e714410d1c615b67ce22379
SHA3-384 hash: 18641b9cd08b433ba13f37a741a71528ec464dceec443647ddb61fd30a5dc2e9d6a0fe43b7c3ba3eb1f32ae836048472
SHA1 hash: 99033700fe2306e7982e2c6194d676aa88697586
MD5 hash: e2b1b315921b100a562396ad39aa4537
humanhash: green-romeo-three-kentucky
File name:e2b1b315921b100a562396ad39aa4537
Download: download sample
Signature DCRat
Create hunting rule
File size:2'268'672 bytes
First seen:2021-11-13 18:57:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash baa93d47220682c04d92f7797d9224ce (139 x RiseProStealer, 26 x Xtrat, 18 x CoinMiner)
ssdeep 49152:5nae17mbshfdy8VuV1wc8wCAS+kam5ZhlSjRSDMofGazSsHWy:5naexVTc8wCum5ZhGRSDMQ/zSsHWy
Threatray 100 similar samples on MalwareBazaar
TLSH T193B53322267235DFD7BDCBF70AE687A6A14B3B55AC3181BD32490C5B0D3A1C0E6B1C81
Reporter zbetcheckin
Tags:32 DCRat exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/205483/
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.40948.25163.24084.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/61900abd3edf00a722d264dc/reports/b8efa15c-c331-4952-8311-0033b892c96b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b11a3728-f5ee-40b7-84aa-c2e40c1e88c5
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/888592
Signature
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 521065 Sample: yMUuSu0n52 Startdate: 13/11/2021 Architecture: WINDOWS Score: 100 38 Multi AV Scanner detection for dropped file 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Detected unpacking (changes PE section rights) 2->42 44 8 other signatures 2->44 6 yMUuSu0n52.exe 4 20 2->6         started        10 sppsvc.exe 3 2->10         started        12 yldGzfwgHzedqxLonS.exe 3 2->12         started        14 5 other processes 2->14 process3 file4 20 C:\Windows\...\yldGzfwgHzedqxLonS.exe, PE32 6->20 dropped 22 C:\Windows\SysWOW64\...\smartscreen.exe, PE32 6->22 dropped 24 C:\Users\Default\...\yldGzfwgHzedqxLonS.exe, PE32 6->24 dropped 26 6 other malicious files 6->26 dropped 46 Detected unpacking (changes PE section rights) 6->46 48 Detected unpacking (overwrites its own PE header) 6->48 50 Tries to evade analysis by execution special instruction which cause usermode exception 6->50 62 2 other signatures 6->62 16 sppsvc.exe 16 189 6->16         started        52 Multi AV Scanner detection for dropped file 10->52 54 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->54 56 Tries to detect sandboxes and other dynamic analysis tools (window names) 10->56 64 3 other signatures 10->64 58 Hides threads from debuggers 12->58 60 Tries to detect sandboxes / dynamic malware analysis system (registry check) 12->60 signatures5 process6 dnsIp7 28 82.146.43.67, 49784, 49787, 49788 THEFIRST-ASRU Russian Federation 16->28 30 192.168.2.1 unknown unknown 16->30 32 Tries to harvest and steal browser information (history, passwords, etc) 16->32 34 Hides threads from debuggers 16->34 36 Tries to detect sandboxes / dynamic malware analysis system (registry check) 16->36 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f071709c71c19d16da4a7d460f1559542e02954d0e714410d1c615b67ce22379/
Threat name:
Win32.Packed.Themida
Create hunting rule
Status:
Malicious
First seen:
2021-11-13 12:12:14 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  1/5
Verdict:
malicious
Similar samples:
136eddfd86a8ee4a6e6c8ed4d82bc78e795e5f02ff5e347dd95893a9b011222f
DCRat
38b951946943714900dc29bb01ce025a84e0f52f095e2901e74a509b9499f2c6
DCRat
4dd51b22d5ee046670f8b082ff67450740dd0825f0f544e243313fe07f8400bd
DCRat
5c7291c8c0c9aae91453faabe543abd6da50a2600ba74cd9fd1faa18a939cd4b
DCRat
864e6ddd9c09a95df11b80abbaa0b1a9a4fb890cb27ad21883f44853094bb0cd
DCRat
9e4ef8eeb8d7eeab54ac5d61c175c32c82a9b7f4e6a28b1b776e789edffcfbbb
DCRat
a9fe52010982ccd3628a5a882c019556b361c3fa7c29cb8052ff66f02bd28490
DCRat
ada1c5359c35e6b70c5a2d5533f9d725f86a1e155c8486bfd2941c9b40478ea2
DCRat
b01b61c911a3b80d4f265e4915f9d62275efa34f84989f77be142f3f9e062f9b
DCRat
+ 90 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence spyware stealer
Link:
https://tria.ge/reports/211113-xmg7zscdar/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks BIOS information in registry
Identifies Wine through registry keys
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Process spawned unexpected child process
Unpacked files
SH256 hash:
aef52811b74cd4b4e93d4605c117ef4d6bbc3da0284b7f69c055779499cac551
MD5 hash:
bad98d0ea9eb5f8c9e808ef3856bf2e8
SHA1 hash:
096b2f7a027d492c26e9fc57ff5884973855f35e
Link:
https://www.unpac.me/results/91ff3f5f-1a95-46d6-a9b7-6d2c5cc90360/
SH256 hash:
f071709c71c19d16da4a7d460f1559542e02954d0e714410d1c615b67ce22379
MD5 hash:
e2b1b315921b100a562396ad39aa4537
SHA1 hash:
99033700fe2306e7982e2c6194d676aa88697586
Link:
https://www.unpac.me/results/91ff3f5f-1a95-46d6-a9b7-6d2c5cc90360/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe f071709c71c19d16da4a7d460f1559542e02954d0e714410d1c615b67ce22379

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1783592/
Cape
Cape
https://www.capesandbox.com/analysis/205483/

Comments


Avatar
zbet commented on 2021-11-13 18:57:20 UTC

url : hxxp://file-host-host6.com/files/3709_1636788860_785.exe