MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0dc975463ed56da75689bc1dbee1f22007743a1beaf5417951c186b967a597f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0dc975463ed56da75689bc1dbee1f22007743a1beaf5417951c186b967a597f8
SHA3-384 hash: 897444b60c291f7cd709a5c0765de0a78d6e2eb6636d2b6afcc352453631224abb50dcbf45e5031445190bca075aa053
SHA1 hash: 5bc04d06bf3b139247d34e240debe1e38068a99e
MD5 hash: 68cfef1bf715b37fcb301187985adfdd
humanhash: summer-whiskey-lake-alanine
File name:68CFEF1BF715B37FCB301187985ADFDD.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:919'040 bytes
First seen:2021-07-20 21:25:16 UTC
Last seen:2021-07-20 21:35:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:iVAgZb4Z8O6q3vpMK7JVqb7ss3wk0OTjtkwxwLm+MXY457f:iOgZbgiuMeJmAs3wijV/+MI4x
Threatray 99 similar samples on MalwareBazaar
TLSH T1D01523247FFE41F1CE2D59BE4072930615A60E79449EC7432989FB2E39B309F92854DE
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://83.220.168.110/cdn/pipe_PacketApiuniversal.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://83.220.168.110/cdn/pipe_PacketApiuniversal.php https://threatfox.abuse.ch/ioc/161264/

Intelligence

File Origin
# of uploads :
2
# of downloads :
151
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
68CFEF1BF715B37FCB301187985ADFDD.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-20 21:25:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/12a8f6ea-50b4-4fe1-be73-4dd847956a8c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172895/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop8.6654.29056.5351.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f2ad0cb1-6ea9-4b36-a5a3-0be56673fb13
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/819229
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Schedule system process
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 451640 Sample: BcoQ7Vg4qc.exe Startdate: 20/07/2021 Architecture: WINDOWS Score: 100 95 Antivirus / Scanner detection for submitted sample 2->95 97 Multi AV Scanner detection for dropped file 2->97 99 Multi AV Scanner detection for submitted file 2->99 101 7 other signatures 2->101 11 BcoQ7Vg4qc.exe 6 2->11         started        15 explorer.exe 2->15         started        18 taskhostw.exe 3 2->18         started        20 10 other processes 2->20 process3 dnsIp4 77 C:\Users\user\AppData\...\DCRatBuild.exe, PE32 11->77 dropped 79 C:\Users\user\AppData\...\BcoQ7Vg4qc.exe.log, ASCII 11->79 dropped 81 C:\Users\user\AppData\...\Cheat Engine.exe, PE32 11->81 dropped 113 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->113 22 DCRatBuild.exe 3 6 11->22         started        26 Cheat Engine.exe 11->26         started        85 83.220.168.110, 49774, 49782, 49783 THEFIRST-ASRU Russian Federation 15->85 115 System process connects to network (likely due to code injection or exploit) 15->115 117 Multi AV Scanner detection for dropped file 15->117 119 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 15->119 121 Tries to harvest and steal browser information (history, passwords, etc) 15->121 123 Machine Learning detection for dropped file 18->123 file5 signatures6 process7 file8 75 refSessionhostperf...eviewsessionsvc.exe, PE32 22->75 dropped 109 Multi AV Scanner detection for dropped file 22->109 111 Machine Learning detection for dropped file 22->111 28 wscript.exe 1 22->28         started        signatures9 process10 process11 30 cmd.exe 1 28->30         started        process12 32 refSessionhostperfNetreviewsessionsvc.exe 15 24 30->32         started        36 conhost.exe 30->36         started        file13 67 C:\Windows\lsasetup\explorer.exe, PE32 32->67 dropped 69 C:\Windows\System32\...\taskhostw.exe, PE32 32->69 dropped 71 C:\Windows\...\ApplicationFrameHost.exe, PE32 32->71 dropped 73 4 other malicious files 32->73 dropped 87 Multi AV Scanner detection for dropped file 32->87 89 Creates an undocumented autostart registry key 32->89 91 Machine Learning detection for dropped file 32->91 93 6 other signatures 32->93 38 cmd.exe 32->38         started        41 schtasks.exe 1 32->41         started        43 schtasks.exe 1 32->43         started        45 5 other processes 32->45 signatures14 process15 signatures16 103 Uses ping.exe to sleep 38->103 105 Drops executables to the windows directory (C:\Windows) and starts them 38->105 107 Uses ping.exe to check the status of other devices and networks 38->107 47 ApplicationFrameHost.exe 38->47         started        50 PING.EXE 38->50         started        63 2 other processes 38->63 53 conhost.exe 41->53         started        55 conhost.exe 43->55         started        57 conhost.exe 45->57         started        59 conhost.exe 45->59         started        61 conhost.exe 45->61         started        65 2 other processes 45->65 process17 dnsIp18 125 Multi AV Scanner detection for dropped file 47->125 127 Machine Learning detection for dropped file 47->127 129 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 47->129 83 192.168.2.1 unknown unknown 50->83 signatures19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0dc975463ed56da75689bc1dbee1f22007743a1beaf5417951c186b967a597f8/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-18 00:47:14 UTC
AV detection:
29 of 46 (63.04%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bxexkrr62vw2ovujxqo35ypseadxioq35l2uc6krygdlsz5fs74a._file
Verdict:
malicious
Similar samples:
2131b75617c740ddba1b808e0decc1e7054e34e6ce51c91bc4b848a52050e728
DCRat
33358691144fd04943b0de774643ba673448b6d7e616d482beb5200d09f9beeb
DCRat
4cba3cb0188c4a064f6dd99ead74f76156d73019e15eec1a3653b28c8ac7a112
DCRat
844b9f86c1708ac12367aeef61e3116207fc430734449781d663755f9b4ffad8
DCRat
96151faabe100e36e7b72f1db0608fe92e4fabf89fee6567739f10a0e4147933
DCRat
9ada53ed3ea8e1da6d93298c945e71179235f53baf6f363a37de83f1a977e148
DCRat
bb55fcf1625411295d87059f3116db4109ef0783504fbce9c5eca05ef72d45e0
DCRat
d700e68d1c067c7bb297805d8429aa95cde9b6ec484c490ebdb01fc9689b1a31
DCRat
f4c62f1bb28e7734697495b0125bcf943c6f528c297fa904865e58165e030a2a
DCRat
ff1cf221e44187ccf5382ba91b26991722b97d2dd0ef25ae0b5fda12425a4a93
DCRat
+ 89 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer persistence rat spyware stealer
Link:
https://tria.ge/reports/210720-e2f8t6jr6a/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Modifies registry class
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
DCRat Payload
DcRat
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
2280e843634b769d07b7899571fccf1384d67ea25789643b4829ae8f2598245e
MD5 hash:
cc783e5231ba90c7630bc39fd0a99535
SHA1 hash:
68c72f7a343365694c6a969444842fd8836a158b
Link:
https://www.unpac.me/results/7196f349-3d5c-4efd-bce7-c96a34f1c66b/
SH256 hash:
b11ad1adfa96eacf5f18cf87785884947a6d35a1baebf4f20f16402b04d5109f
MD5 hash:
89bf0f7e9adf290c6d571eccf79206a9
SHA1 hash:
65f95791234ff93bc3e35f1d35d7a6664872dc56
Link:
https://www.unpac.me/results/7196f349-3d5c-4efd-bce7-c96a34f1c66b/
Parent samples :
d5775aecd2e8d149e2b9ba576ddc2db3624a974cafc8fc1df318226fc2c6d4b4
8e997bef9ad61722cb7b782da93b7373acd19dbdc4cb91b47e80280e2100b6a3
5ba1b028da2c0e52c38c7a55bf1e7952cc50c907576ec2f22b6a25d691dde2d6
be15d47389920ab9637eefc24bbf6c191607013a3d2608c1243a377aacb5d4ce
f027301d00c6bc4b1c87e5e3266775f395907fa04e2c768b7082381d60880f82
b1088573c2e783e97fb07ccf1d8d8e9372ccd8983cc07c7ee9c6989a3844b334
e5c9d1b6f77188c03e94713b41f00afc6d12e6f82daf3604d5f34c584c2389ff
45e1440acf3453915252d0d61ffcee6fd96170ccf2323c16178dfaaa186565f8
1a659b2d6922bd1ea186c53148094c26733368e9099ea037a83912c02a59d410
f733fbe95a7fe8a2c0ef459b05fed88b7a295de5e39c591bf62d3e0a5575e6fc
658b0a01404144b5da03574e2a05b6c02030baa2276b9e047174c6ccb3e8918d
cf4efad0b9d74151b09be4acfb12d1aea2a9e316b97a2eb7f4ca8ac12b0e6d8c
381bb149e04bec8f62336cdf3c81741c2c7a471f6dacc2f7835eb174643abad7
284f083103d1c160d9e4721ecce515646ce451a1b7ddf9dd89817904e21a4a2d
1a39cff5d5b0b550cd9b30f08c0e32430c2e1b92aecc663d4151789e54d13f64
1b881d8c3ba53e9b250de6d1118a27738fd8e88fd475e3e01afabd4e627f83a2
e0abb4fa147097a4fb1758ed20b7d1a54f020d0de2d8144a2beaec404acb4d4c
2ec983b4653f6a5ee028e9ecfa37d8cf2404a10e9691bb8ed39023be643ef55e
797bbd3d5e08ab4919540911ab6149be0c6f38de3659378bf38fc5ac01ccee48
4cc156f578777710f3ce0c217664b9830ddfcab407f0c6de0cae10d5501d1ca1
4d908524b238846077a6fb1df34be93ae926e13c15bb8ac5c45a8980ef4862ce
581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892
8ac5083f52da0ff312259331f65b326782803aa837a7b371a6d43a021b0c24c3
7816a1291d7c035b81b68f8e5f65e10f952beb2bf1ce9d125bfe9d44a378ee9f
e1a60229372db9d65dbadfe6db923edf3987ac9f908878491bd12497613324d8
41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5
ab71530434f64e6aa105732c42dbb5a409ac0aae4258b3c3e7db1a7d5914cc30
3b88fdeb5144b0f3a710b42cefa937e57aed28001acb82562229472ce258a124
70fbebc77d5f37a0ffd373be6ee9f218a5ea30b86e395e7212b850f0f6934b6f
294003b3626890da222c7aeb34f7ac71cec614026c686fd88df269cc175a0e8c
a6ca0d0f6c47f310778e8d3a82f96ce6b6e70e1248a17f73fda6dff59653b761
9e90c1219aac375230e375f3d641f6b1edb2968acb41d542528ad744714c9b35
1d6628a6cd66f3dd7f3377ee1c30e8a92cedb1d40f5a121b84e5ab84a0e19909
841eb644979b3c640761762645c9cd26f9bb46e558eaeb7bf0c2a79e761878f4
1b304c8a2ae4546bd7958c7f22becaf6b682a5c88b7a01945a952de991b0ef0b
693cf45b243073eeb5479f4b29ff36c417b858b042363cf1a53d7623504a6d29
f9fd2f63fb1b73be1e960ab5a6572aa6968279e56a95bb846fa7ea4110ab867c
5680eb1ffa1fac4f1c5a78024331ff7dd8982138d89d2df4ec56996b44c9cc99
48be2502fad84657b383c41b2616f34a029f9a39d63aae1a1714faf7ba79e3da
SH256 hash:
9b87ce82698dd215faff23f0354fec433ea07f2d3027d2b5fc839335615f994c
MD5 hash:
a4c2fae2f9286e56077141575b5d3016
SHA1 hash:
ac898f8830cab7231bd7a99dff5d874908cb5147
Link:
https://www.unpac.me/results/7196f349-3d5c-4efd-bce7-c96a34f1c66b/
SH256 hash:
0dc975463ed56da75689bc1dbee1f22007743a1beaf5417951c186b967a597f8
MD5 hash:
68cfef1bf715b37fcb301187985adfdd
SHA1 hash:
5bc04d06bf3b139247d34e240debe1e38068a99e
Link:
https://www.unpac.me/results/7196f349-3d5c-4efd-bce7-c96a34f1c66b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/0dc975463ed56da75689bc1dbee1f22007743a1beaf5417951c186b967a597f8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172895/

Comments