MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f28cc0f1f1a0408490a39ab982477aa19dc7b199c599e9f9a89e62f2f423a24d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f28cc0f1f1a0408490a39ab982477aa19dc7b199c599e9f9a89e62f2f423a24d
SHA3-384 hash: 9c4f8a9e29d47c50f984b617ff41e57e4fad7b922a01c46ab360b0abd16e3de408ad36b73f051a9dec3a5f22d52681c5
SHA1 hash: 7ec15f32916c21efd92db1f52b1edc9c4e81df35
MD5 hash: 080dea74b4e8c480a3dc1be07c13eeeb
humanhash: ten-autumn-emma-north
File name:080dea74b4e8c480a3dc1be07c13eeeb
Download: download sample
Signature DCRat
Create hunting rule
File size:1'486'848 bytes
First seen:2021-08-18 16:53:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 24576:wUesxbPoSf/0W4vVo6m+p2EFV0/hkAGmo+M5AMGlVrfelPMEeA6yy+4:pJ0W4vANaPmbM9wFeplZ7F
Threatray 125 similar samples on MalwareBazaar
TLSH T1AD655A123A4ADD0AD029163BCDDF443847ACAD417B66DB1A7E9F336C65123A70D8D2CE
Reporter zbetcheckin
Tags:32 DCRat exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
080dea74b4e8c480a3dc1be07c13eeeb
Verdict:
Malicious activity
Analysis date:
2021-08-18 16:54:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9a17a063-cd54-4459-87a3-83aa10567bc8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DCRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/180403/
Detection(s):
Win.Malware.Uztuby-9848412-0
Create hunting rule

Win.Packed.Uztuby-9851623-0
Create hunting rule

Win.Packed.Uztuby-9875336-0
Create hunting rule

Win.Packed.Uztuby-9877681-0
Create hunting rule

Win.Packed.Uztuby-9878629-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/73db0fd7-c475-444f-a253-590cb45ed64a
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/835235
Signature
Creates an autostart registry key pointing to binary in C:\Windows
Creates multiple autostart registry keys
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 467664 Sample: Fd6fRRtImJ Startdate: 18/08/2021 Architecture: WINDOWS Score: 100 38 account-shop.pp.ru 2->38 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected DCRat 2->46 48 Machine Learning detection for sample 2->48 50 Drops executables to the windows directory (C:\Windows) and starts them 2->50 8 Fd6fRRtImJ.exe 7 21 2->8         started        12 WmiPrvSE.exe 15 2 2->12         started        15 dllhost.exe 3 2->15         started        17 6 other processes 2->17 signatures3 process4 dnsIp5 30 C:\Windows\System32\...\dwm.exe, PE32 8->30 dropped 32 C:\Windows\SysWOW64\wbem\...\WmiPrvSE.exe, PE32 8->32 dropped 34 C:\Windows\Performance\WinSAT\dllhost.exe, PE32 8->34 dropped 36 6 other malicious files 8->36 dropped 54 Creates multiple autostart registry keys 8->54 56 Creates an autostart registry key pointing to binary in C:\Windows 8->56 58 Creates processes via WMI 8->58 60 Drops PE files with benign system names 8->60 19 cmd.exe 1 8->19         started        40 account-shop.pp.ru 94.23.146.204, 49703, 49704, 49705 OVHFR France 12->40 42 192.168.2.1 unknown unknown 12->42 62 Multi AV Scanner detection for dropped file 12->62 64 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->64 66 Protects its processes via BreakOnTermination flag 12->66 68 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 12->68 70 Machine Learning detection for dropped file 15->70 file6 signatures7 process8 signatures9 52 Drops executables to the windows directory (C:\Windows) and starts them 19->52 22 w32tm.exe 1 19->22         started        24 conhost.exe 19->24         started        26 chcp.com 1 19->26         started        28 WmiPrvSE.exe 19->28         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f28cc0f1f1a0408490a39ab982477aa19dc7b199c599e9f9a89e62f2f423a24d/
Threat name:
ByteCode-MSIL.Backdoor.LightStone
Create hunting rule
Status:
Malicious
First seen:
2021-08-18 06:57:36 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6kgmb4prubaijefdtk4yer32ugo4pmmzywm6t6nitzrpf5bdujgq._file
Verdict:
unknown
Similar samples:
0dc975463ed56da75689bc1dbee1f22007743a1beaf5417951c186b967a597f8
DCRat
33358691144fd04943b0de774643ba673448b6d7e616d482beb5200d09f9beeb
DCRat
3b20be034ea25bcf142fe6d985c38918bde59c780b3ac7bdef4f0b88048f5dd0
DCRat
427eaaff3e1ad963dcb643bbc7c81a6338b544816ef22924c7b5d62a5ae55f70
DCRat
4cba3cb0188c4a064f6dd99ead74f76156d73019e15eec1a3653b28c8ac7a112
DCRat
629c671a92b4a3af617c2d8fe133430ab77aac0acb07914f047f8868eb9ed92a
DCRat
96151faabe100e36e7b72f1db0608fe92e4fabf89fee6567739f10a0e4147933
DCRat
aebfeecd15596e7b6b4a739157229d3a0e1ea320e9352e4e725663b5a4f367b1
DCRat
f4c62f1bb28e7734697495b0125bcf943c6f528c297fa904865e58165e030a2a
DCRat
+ 115 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer persistence rat
Link:
https://tria.ge/reports/210818-xrnxmm8eq6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Executes dropped EXE
DCRat Payload
DcRat
Process spawned unexpected child process
Unpacked files
SH256 hash:
bb4b57723fbcdfbb47807454b2aa4be9fae345110c446f860484e22ee8fe5fcb
MD5 hash:
1a69b97daf93b539a2bd23b18d5e38f2
SHA1 hash:
ff73bba23a3d3e5a6486cf25e8f62b786e40f95d
Link:
https://www.unpac.me/results/56874fdc-47a3-4394-beb5-510b73a56c7e/
SH256 hash:
1dd2a07c2f49925124d2734514da781a5bdf5fe68420aa5697535394241e62ed
MD5 hash:
192a4ff3c5381dd618637c08f854d09f
SHA1 hash:
f0051f0e9bb599db0970fa784781b0e5bb94dfb9
Link:
https://www.unpac.me/results/56874fdc-47a3-4394-beb5-510b73a56c7e/
SH256 hash:
c5af0a10880d9cce34a6116b46bc158dfb68b85638bc6eb217d966c1a0cd3d0e
MD5 hash:
673792e647467bc28e15279877cc4c77
SHA1 hash:
cbea63a47e7534c1e671c2bc3e2a2ce236435103
Link:
https://www.unpac.me/results/56874fdc-47a3-4394-beb5-510b73a56c7e/
SH256 hash:
4d882bdc8862a5ffce51071bd3504063258d1e1bae8fce68c4260c0279bfa5e7
MD5 hash:
2baff121c9bdc0c3f87b628529b29b01
SHA1 hash:
a417863536943f91004c7cf51a0a50c92e8e6ba2
Link:
https://www.unpac.me/results/56874fdc-47a3-4394-beb5-510b73a56c7e/
SH256 hash:
918c7b33a0cd590520afe9653c5c4f79d963cd854d52806367a2b7d0e5e5c120
MD5 hash:
7df88aed3613ccefb30d7289a45ed1aa
SHA1 hash:
a1aa117e242b2464f8ba4a4ba617f04ea6246531
Link:
https://www.unpac.me/results/56874fdc-47a3-4394-beb5-510b73a56c7e/
SH256 hash:
48ffb33fd7ccc3e2b225e538d5b193aed061d6e42dbc038acd0263fc30735ae3
MD5 hash:
12a345540f4d15d76063d14b5a8c82bf
SHA1 hash:
9577b2b5c4fba6b2afa65c5161fce75f48e75d5d
Link:
https://www.unpac.me/results/56874fdc-47a3-4394-beb5-510b73a56c7e/
SH256 hash:
64c61736d27b18db48aaf8801fe1d8dcc4b1e9be24c0babc03d0934cfb3709ef
MD5 hash:
22ae100377f31e27d3eb21e6dc30cb34
SHA1 hash:
85f505328a0acd2cfa74835cc062bdc47e9d24b7
Link:
https://www.unpac.me/results/56874fdc-47a3-4394-beb5-510b73a56c7e/
SH256 hash:
38949bbb01fe7a29d224967527ec1562b41d4e3e5fbb05862636bf68cf936dbf
MD5 hash:
00ef047ebcf7d8b2cfb97595cf4ad466
SHA1 hash:
7b2078fe4f91c1dae46ebf1b0bac5c19a7911ac8
Link:
https://www.unpac.me/results/56874fdc-47a3-4394-beb5-510b73a56c7e/
SH256 hash:
736eed2e715f347e4b3d50ffdf9caab30bbff14f371b74487b1e9290a4ceba53
MD5 hash:
29d07b750544027fefb0c8e573f196d4
SHA1 hash:
6c73dc53f1af57e1b2b404f2e20a9aecbaa80051
Link:
https://www.unpac.me/results/56874fdc-47a3-4394-beb5-510b73a56c7e/
SH256 hash:
53e68daf4a2317ad5785491b8e0664cecdf3fe2977880ad661766544f43a96cf
MD5 hash:
d6359b7edc4192e8e8570e4ed177666d
SHA1 hash:
5d8497497a525ac6269056678de819cb95d13460
Link:
https://www.unpac.me/results/56874fdc-47a3-4394-beb5-510b73a56c7e/
SH256 hash:
614bcb007c20f08f7ce77000cf9b177ac3f7b8228e19002a0beec050a0297beb
MD5 hash:
6f4e90ab9cb028c49833186731443567
SHA1 hash:
0e72a819b3b25b792a903bdee5a2e57a0caf3c25
Link:
https://www.unpac.me/results/56874fdc-47a3-4394-beb5-510b73a56c7e/
SH256 hash:
f28cc0f1f1a0408490a39ab982477aa19dc7b199c599e9f9a89e62f2f423a24d
MD5 hash:
080dea74b4e8c480a3dc1be07c13eeeb
SHA1 hash:
7ec15f32916c21efd92db1f52b1edc9c4e81df35
Link:
https://www.unpac.me/results/56874fdc-47a3-4394-beb5-510b73a56c7e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f28cc0f1f1a0408490a39ab982477aa19dc7b199c599e9f9a89e62f2f423a24d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe f28cc0f1f1a0408490a39ab982477aa19dc7b199c599e9f9a89e62f2f423a24d

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1544449/
Cape
Cape
https://www.capesandbox.com/analysis/180403/

Comments


Avatar
zbet commented on 2021-08-18 16:53:25 UTC

url : hxxp://135.125.172.201/CrtCommonwinbroker.exe