MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 faf82dcfbb2ffa2a94047a5e017d95e9757aa3420af8cebcef6c8933cde2c295. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 13


Intelligence 13 IOCs YARA 24 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: faf82dcfbb2ffa2a94047a5e017d95e9757aa3420af8cebcef6c8933cde2c295
SHA3-384 hash: 5af16ffd2280cc9cd425dc3da1a677f9bab5d6adf5696be71036a5e79c572e80fcda0185302f4c600ecf8e58ef98b32f
SHA1 hash: a07b66cde199d96efb99718b9b7d365036350c29
MD5 hash: 0b222b4a899979ddf52b634b82368a08
humanhash: one-purple-jupiter-failed
File name:0b222b4a899979ddf52b634b82368a08.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:52'429'312 bytes
First seen:2024-05-30 01:00:11 UTC
Last seen:2024-05-30 01:30:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 1572864:WK7C5EpF9PX7uC/mVLJhbWnRdrF10hWNYP02oa:WK7CMrLv0JhbWT/mXs2
Threatray 419 similar samples on MalwareBazaar
TLSH T1F0B733F4B24C0A53DAEA4E361C6E4CF9159FEADE65C0786831DBCFB04392A10A39755C
TrID 75.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.9% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.EXE) Win32 Executable (generic) (4504/4/1)
2.1% (.ICL) Windows Icons Library (generic) (2059/9)
2.1% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon e8d4cc6971ccd4e8 (1 x DCRat)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://a0986534.xsph.ru/283479bd.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
489
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
faf82dcfbb2ffa2a94047a5e017d95e9757aa3420af8cebcef6c8933cde2c295.exe
Verdict:
Malicious activity
Analysis date:
2024-05-30 01:01:14 UTC
Tags:
discord python evasion rat dcrat remote darkcrystal
Link:
https://app.any.run/tasks/83de1dfc-61b1-4696-b25e-241d96186faa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6657cfe6af950bab634f91fbwin7simulatehigh_evasion
Tags:
Banker Encryption Execution Generic Network Other Stealth Dropper Dexter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a window
Searching for the window
Searching for synchronization primitives
Running batch commands
Creating a process with a hidden window
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Launching a process
Using the Windows Management Instrumentation requests
Creating a file in the Program Files subdirectories
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
MSIL/TrojanDropper.Agent
Link:
https://www.hybrid-analysis.com/sample/faf82dcfbb2ffa2a94047a5e017d95e9757aa3420af8cebcef6c8933cde2c295
Result
Verdict:
MALICIOUS
Result
Threat name:
Python Stealer, DCRat, Discord Token Ste
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1449302
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Found pyInstaller with non standard icon
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: System File Execution Location Anomaly
Sigma detected: Windows Binaries Write Suspicious Extensions
Sigma detected: WScript or CScript Dropper
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected DCRat
Yara detected Discord Token Stealer
Yara detected Empyrean
Yara detected Generic Downloader
Yara detected Generic Python Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1449302 Sample: 8Zi7xnKKw7.exe Startdate: 30/05/2024 Architecture: WINDOWS Score: 100 150 www.cloudflare.com 2->150 152 raw.githubusercontent.com 2->152 154 2 other IPs or domains 2->154 164 Multi AV Scanner detection for domain / URL 2->164 166 Found malware configuration 2->166 168 Malicious sample detected (through community Yara rule) 2->168 170 20 other signatures 2->170 13 8Zi7xnKKw7.exe 5 2->13         started        17 cmd.exe 2->17         started        19 pjObodbHbdHWMjxwWYYCSysHZk.exe 2->19         started        21 2 other processes 2->21 signatures3 process4 file5 144 C:\Users\user\AppData\Local\...\svchost.exe, PE32 13->144 dropped 146 C:\Users\user\AppData\Local\Temp\intro.exe, PE32+ 13->146 dropped 148 C:\Users\user\AppData\Local\...\BoosterX.exe, PE32 13->148 dropped 196 Drops PE files with benign system names 13->196 23 intro.exe 136 13->23         started        27 svchost.exe 3 11 13->27         started        29 BoosterX.exe 1 2 13->29         started        31 dat.txt 17->31         started        33 conhost.exe 17->33         started        signatures6 process7 file8 112 C:\Users\...\_quoting_c.cp310-win_amd64.pyd, PE32+ 23->112 dropped 114 C:\Users\user\AppData\Local\...\win32ui.pyd, PE32+ 23->114 dropped 116 C:\Users\user\AppData\...\win32trace.pyd, PE32+ 23->116 dropped 124 86 other malicious files 23->124 dropped 176 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->176 178 Found pyInstaller with non standard icon 23->178 35 intro.exe 22 23->35         started        118 C:\Users\user\AppData\Local\...\svchost.exe, PE32 27->118 dropped 126 2 other malicious files 27->126 dropped 180 Drops PE files with benign system names 27->180 39 wscript.exe 1 27->39         started        120 C:\Users\...\_quoting_c.cp310-win_amd64.pyd, PE32+ 31->120 dropped 122 C:\Users\user\AppData\Local\...\win32ui.pyd, PE32+ 31->122 dropped 128 87 other malicious files 31->128 dropped 42 dat.txt 31->42         started        signatures9 process10 dnsIp11 156 raw.githubusercontent.com 185.199.110.133, 443, 49744, 49752 FASTLYUS Netherlands 35->156 158 www.cloudflare.com 104.16.123.96, 443, 49746, 49754 CLOUDFLARENETUS United States 35->158 160 discord.com 162.159.137.232, 443, 49741, 49749 CLOUDFLARENETUS United States 35->160 110 C:\Users\user\AppData\Roaming\...\dat.txt, PE32+ 35->110 dropped 44 cmd.exe 35->44         started        46 cmd.exe 35->46         started        49 cmd.exe 35->49         started        55 4 other processes 35->55 172 Windows Scripting host queries suspicious COM object (likely to drop second stage) 39->172 51 cmd.exe 39->51         started        174 Tries to harvest and steal browser information (history, passwords, etc) 42->174 53 cmd.exe 42->53         started        file12 signatures13 process14 signatures15 57 dat.txt 44->57         started        61 conhost.exe 44->61         started        198 Uses cmd line tools excessively to alter registry or file data 46->198 63 reg.exe 46->63         started        65 conhost.exe 46->65         started        73 2 other processes 49->73 67 svchost.exe 51->67         started        69 conhost.exe 51->69         started        71 conhost.exe 53->71         started        75 7 other processes 55->75 process16 file17 130 C:\Users\...\_quoting_c.cp310-win_amd64.pyd, PE32+ 57->130 dropped 132 C:\Users\user\AppData\Local\...\win32ui.pyd, PE32+ 57->132 dropped 134 C:\Users\user\AppData\...\win32trace.pyd, PE32+ 57->134 dropped 142 86 other malicious files 57->142 dropped 182 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 57->182 184 Found pyInstaller with non standard icon 57->184 186 Potentially malicious time measurement code found 57->186 77 dat.txt 57->77         started        136 C:\Windows\...\pjObodbHbdHWMjxwWYYCSysHZk.exe, PE32 67->136 dropped 138 C:\Recovery\StartMenuExperienceHost.exe, PE32 67->138 dropped 140 C:\...\pjObodbHbdHWMjxwWYYCSysHZk.exe, PE32 67->140 dropped 188 Benign windows process drops PE files 67->188 190 Creates an undocumented autostart registry key 67->190 192 Creates multiple autostart registry keys 67->192 194 3 other signatures 67->194 79 pjObodbHbdHWMjxwWYYCSysHZk.exe 67->79         started        82 schtasks.exe 67->82         started        84 schtasks.exe 67->84         started        86 6 other processes 67->86 signatures18 process19 dnsIp20 88 cmd.exe 77->88         started        90 cmd.exe 77->90         started        92 cmd.exe 77->92         started        94 cmd.exe 77->94         started        162 a0986534.xsph.ru 141.8.197.42, 49745, 49747, 49751 SPRINTHOSTRU Russian Federation 79->162 process21 process22 96 conhost.exe 88->96         started        98 WMIC.exe 88->98         started        100 conhost.exe 90->100         started        102 WMIC.exe 90->102         started        104 conhost.exe 92->104         started        106 WMIC.exe 92->106         started        108 conhost.exe 94->108         started       
Score:
-100%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/faf82dcfbb2ffa2a94047a5e017d95e9757aa3420af8cebcef6c8933cde2c295
Gathering data
Threat name:
ByteCode-MSIL.Trojan.XWormRAT
Create hunting rule
Status:
Malicious
First seen:
2024-05-24 17:01:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7l4c3t53f75cvfaepjpac7mv5f2xvi2cbl4m5phpnsethtpcykkq._file
Verdict:
malicious
Similar samples:
1b76c862491ee6fa0be99ac8b47bbdcbe7556ea9b7e9f94321e92954581ca786
DCRat
284f083103d1c160d9e4721ecce515646ce451a1b7ddf9dd89817904e21a4a2d
DCRat
30f36f269a5d3b6b8c74c30dd448c3aa491d4b9fbd7c91e3b78e8eac7fa35857
DCRat
a539cf912da1307e901cb90312df5273b8702492e6a0f4e4802cd4004919b3e4
DCRat
+ 409 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer persistence pyinstaller rat spyware stealer upx
Link:
https://tria.ge/reports/240530-bc823ahe48/
Behaviour
Creates scheduled task(s)
Modifies registry class
Modifies registry key
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Detects Pyinstaller
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
DCRat payload
DcRat
Modifies WinLogon for persistence
Process spawned unexpected child process
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/04474299-7095-4a02-9e47-6cf2769c7752
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
Create hunting rule
Author:ditekSHen
Description:Detects executables containing bas64 encoded gzip files
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MALWARE_Win_DCRat
Create hunting rule
Author:ditekSHen
Description:DCRat payload
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:shad0w_beacon_16June
Create hunting rule
Author:SBousseaden
Description:Shad0w beacon compressed
Reference:https://github.com/bats3c/shad0w
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments