MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f45baeadbd3670a3d6f0e5e5dd53325269153dcd02195c8d98d1a49db8a6b46c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f45baeadbd3670a3d6f0e5e5dd53325269153dcd02195c8d98d1a49db8a6b46c
SHA3-384 hash: 6b422b5bdd46cff287940a986caa542df708683c189e0645d090c43ba53a6f0fe572bb9576156c83d850710ef0b635a3
SHA1 hash: 85e4bf6f82e3bc640652df5982a937fa1457e541
MD5 hash: 142fc3f98e2b78474c392c72a6e4b826
humanhash: white-six-fish-queen
File name:HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'590'272 bytes
First seen:2023-01-22 13:25:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:fClaqwJlj0Wxxjb2dTGH7i3uOpK4KH/cKgphBhxqdvhm/Y3TnJ6f:fCqlj0exjxH7xn/WphBhg8A7J
Threatray 3'406 similar samples on MalwareBazaar
TLSH T1E9753303FE9DFE7BC26A60B3813BBE5255B160191123B6463C233586B5297C12FAF785
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://82.146.46.51/Camgameprogram/bindatasupport/plugin/searcherantitrace/binPrefgamebin/Servertracesearcher/datapluginruleprogram/Math/cut/eternallinegeoGenerator.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
203
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
Verdict:
Malicious activity
Analysis date:
2023-01-22 13:26:49 UTC
Tags:
trojan rat backdoor dcrat
Link:
https://app.any.run/tasks/8ce5aad4-bc69-4dff-a4c5-f051818640ab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DCRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/355606/
Detection(s):
Win.Malware.Mardom-9901704-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Creating a file in the Program Files subdirectories
Launching a process
Sending a custom TCP request
Creating a file in the Windows subdirectories
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
coinminer fareit packed
Link:
https://www.filescan.io/uploads/63cd396b447edb203a0040c9/reports/c4d1bd47-2856-4303-ad09-ed39a5ce6ac9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9451778c-4e71-471c-9612-23cd46528d82
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1156503
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates files inside the volume driver (system volume information)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Schedule system process
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 789235 Sample: HEUR-Trojan-PSW.MSIL.Reline... Startdate: 22/01/2023 Architecture: WINDOWS Score: 100 118 Malicious sample detected (through community Yara rule) 2->118 120 Antivirus detection for dropped file 2->120 122 Antivirus / Scanner detection for submitted sample 2->122 124 8 other signatures 2->124 11 HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe 1 2->11         started        15 Registry.exe 2->15         started        17 uwIzMZMmthCXahGZWEJMsnCLVRA.exe 1 2->17         started        19 3 other processes 2->19 process3 file4 108 HEUR-Trojan-PSW.MS...5baeadbd367.exe.log, ASCII 11->108 dropped 150 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 11->150 152 Uses schtasks.exe or at.exe to add and modify task schedules 11->152 154 Drops PE files with benign system names 11->154 21 HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe 4 25 11->21         started        156 Antivirus detection for dropped file 15->156 158 Multi AV Scanner detection for dropped file 15->158 160 Machine Learning detection for dropped file 15->160 25 Registry.exe 15->25         started        162 Injects a PE file into a foreign processes 17->162 27 uwIzMZMmthCXahGZWEJMsnCLVRA.exe 2 17->27         started        29 HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe 2 19->29         started        31 services.exe 19->31         started        33 sihost.exe 19->33         started        signatures5 process6 file7 100 C:\Windows\SysWOW64\wbem\...\WmiPrvSE.exe, PE32 21->100 dropped 102 C:\Windows\SysWOW64\...\RuntimeBroker.exe, PE32 21->102 dropped 104 C:\Windows\SysWOW64\KBDFA\RuntimeBroker.exe, PE32 21->104 dropped 106 7 other malicious files 21->106 dropped 148 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->148 35 cmd.exe 1 21->35         started        38 csrss.exe 21->38         started        40 schtasks.exe 1 21->40         started        42 4 other processes 21->42 signatures8 process9 signatures10 126 Uses ping.exe to sleep 35->126 128 Uses ping.exe to check the status of other devices and networks 35->128 44 HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe 35->44         started        47 chcp.com 1 35->47         started        49 PING.EXE 1 35->49         started        52 conhost.exe 35->52         started        130 Antivirus detection for dropped file 38->130 132 Multi AV Scanner detection for dropped file 38->132 134 Machine Learning detection for dropped file 38->134 136 Injects a PE file into a foreign processes 38->136 138 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 40->138 54 conhost.exe 40->54         started        56 conhost.exe 42->56         started        58 conhost.exe 42->58         started        60 conhost.exe 42->60         started        62 conhost.exe 42->62         started        process11 dnsIp12 164 Injects a PE file into a foreign processes 44->164 64 HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe 44->64         started        166 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 47->166 110 192.168.2.1 unknown unknown 49->110 signatures13 process14 file15 92 C:\Windows\CbsTemp\WmiPrvSE.exe, PE32 64->92 dropped 94 C:\Users\Default\Desktop\csrss.exe, PE32 64->94 dropped 96 C:\...\RuntimeBroker.exe, PE32 64->96 dropped 98 13 other malicious files 64->98 dropped 114 Creates files inside the volume driver (system volume information) 64->114 116 Hides that the sample has been downloaded from the Internet (zone.identifier) 64->116 68 WmiPrvSE.exe 64->68         started        71 schtasks.exe 64->71         started        73 schtasks.exe 64->73         started        75 6 other processes 64->75 signatures16 process17 signatures18 140 Antivirus detection for dropped file 68->140 142 Multi AV Scanner detection for dropped file 68->142 144 Machine Learning detection for dropped file 68->144 146 3 other signatures 68->146 77 WmiPrvSE.exe 68->77         started        80 conhost.exe 71->80         started        82 conhost.exe 73->82         started        84 conhost.exe 75->84         started        86 conhost.exe 75->86         started        88 conhost.exe 75->88         started        90 3 other processes 75->90 process19 dnsIp20 112 82.146.46.51, 49684, 49685, 49686 THEFIRST-ASRU Russian Federation 77->112
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f45baeadbd3670a3d6f0e5e5dd53325269153dcd02195c8d98d1a49db8a6b46c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-23 12:06:04 UTC
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6rn25ln5gzykhvxq4xs52uzskjurkponaimvzdmy2gsj3ofgwrwa._file
Verdict:
malicious
Similar samples:
0284735896363aeae81486be25751824f82b385dd4b6150358ff9b68c36c71e2
DCRat
0389ffef740d3bd365f2b699ac006b478a5346a1dc2383e10fd5152771641c0b
DCRat
4cba3cb0188c4a064f6dd99ead74f76156d73019e15eec1a3653b28c8ac7a112
DCRat
5f2846d5daa6e5781427feb62144502ff1522b8250eadbfb7aa3602d04eac1fb
DCRat
64372c3ad1a4fff52786f20761db9c67605a533f0b5c48311b9cb005c24e0314
DCRat
6da210965cd769856bbcb8bb501abf25c832f0f6a70e73240436629ce6362fa9
DCRat
88c642b1fa43b77487f3916dd95ac236189971475c3289c745dc45a739e6453f
DCRat
c1f1b8f358e98ae14b424dd8d57e022b8dc68c7c5f14a8d3dea8f1e66601f351
DCRat
d700e68d1c067c7bb297805d8429aa95cde9b6ec484c490ebdb01fc9689b1a31
DCRat
+ 3'396 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer rat
Link:
https://tria.ge/reports/230122-qphg7sgb48/
Behaviour
Creates scheduled task(s)
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
DCRat payload
DcRat
Unpacked files
SH256 hash:
3ec59d24755cfb15ae2c0daaee1d9e7913ccdbf4776a6b1f14aef5c96026cba4
MD5 hash:
3ebeb1cebe8a3d01ead0ccc0503263f4
SHA1 hash:
5178f8928b4c61dfb77277c768f5229254a808eb
Link:
https://www.unpac.me/results/717b2186-bc3c-4ac2-b39a-c3093bcfb137/
SH256 hash:
b587af2285f52f6db9eed5c502fec10102b2b276564d3f572677ba2afc92dd69
MD5 hash:
8ca3ed415631c1b530ade92da8e83abd
SHA1 hash:
54b48a350b0be37df385b091c83a61c0e6fc78e7
Link:
https://www.unpac.me/results/717b2186-bc3c-4ac2-b39a-c3093bcfb137/
SH256 hash:
b09c8cfca2bba8187d8e61f302dea789285bd10040b26fe59a83ae943a652a4b
MD5 hash:
fae275ca7febec7eaed70651acd5192c
SHA1 hash:
916eebf77fb4a9882b88bc0a1a2ddca57dfbd45a
Link:
https://www.unpac.me/results/717b2186-bc3c-4ac2-b39a-c3093bcfb137/
SH256 hash:
f45baeadbd3670a3d6f0e5e5dd53325269153dcd02195c8d98d1a49db8a6b46c
MD5 hash:
142fc3f98e2b78474c392c72a6e4b826
SHA1 hash:
85e4bf6f82e3bc640652df5982a937fa1457e541
Link:
https://www.unpac.me/results/717b2186-bc3c-4ac2-b39a-c3093bcfb137/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f45baeadbd36/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f45baeadbd3670a3d6f0e5e5dd53325269153dcd02195c8d98d1a49db8a6b46c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/355606/

Comments