MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f009ca3c6662f5ee12f5f6c44a942b929c0c52b9a473872ce9dd4ac4a2ebf5a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f009ca3c6662f5ee12f5f6c44a942b929c0c52b9a473872ce9dd4ac4a2ebf5a
SHA3-384 hash: 9f852e48e9316a5be2d89a1a2468afaee86bf2ee31043760989b2285952d7c075341a0a4924bd0d028119b5e3cdab06f
SHA1 hash: bf53524027cb51af3da49734dc1bace1db1a89a0
MD5 hash: e178ecc65c559899109404b364c97c0b
humanhash: triple-venus-mockingbird-oxygen
File name:0f009ca3c6662f5ee12f5f6c44a942b929c0c52b9a473.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:3'321'600 bytes
First seen:2022-08-10 18:55:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 49152:ZbA3Fmy7MzX8hwQLoDMmTizRoqXOIa/c8kP+aHlhACuvIFeNt9aViHHG+r:ZbEMDMo9i9ROG8kmaHlhATYeNtPG4
TLSH T163F5D0123D408962F12C1673C3EF961447BDAD272AE5D71B3AEE33BD54223A2684C5DB
TrID 54.2% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
40.3% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
2.1% (.EXE) Win64 Executable (generic) (10523/12/4)
1.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c8e2eae6e292c2ee (14 x ArkeiStealer, 10 x RedLineStealer, 3 x Vidar)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://185.43.6.68/Default/private/Traffic8/0Test/GameDownloadsgenerator/CpuuploadsBigload/8universal/Uploads9updateCdn/3cdnExternal1/DbUniversal8pipe/0/ProviderGenerator/Datalife8sql/0Central/LongpollcentralLocal/Defaultprocessor/phpGeomultiTest.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.43.6.68/Default/private/Traffic8/0Test/GameDownloadsgenerator/CpuuploadsBigload/8universal/Uploads9updateCdn/3cdnExternal1/DbUniversal8pipe/0/ProviderGenerator/Datalife8sql/0Central/LongpollcentralLocal/Defaultprocessor/phpGeomultiTest.php https://threatfox.abuse.ch/ioc/842366/

Intelligence

File Origin
# of uploads :
1
# of downloads :
283
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0f009ca3c6662f5ee12f5f6c44a942b929c0c52b9a473.exe
Verdict:
No threats detected
Analysis date:
2022-08-10 18:57:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4c9b434a-eb30-44d8-b75c-f5195b78330b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/297726/
Detection(s):
Win.Trojan.Uztuby-9855059-0
Create hunting rule

Win.Ransomware.Clinix-9868408-0
Create hunting rule

Win.Packed.Basic-9952747-0
Create hunting rule

Win.Malware.Uztuby-9957322-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Changing a file
Creating a file
Using the Windows Management Instrumentation requests
Launching a process
Creating a file in the Program Files subdirectories
Unauthorized injection to a recently created process
Blocking the User Account Control
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/28545/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
80%
Tags:
greyware overlay packed packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/62f3ff48810e2831b7354d9d/reports/67caede9-7062-4b69-a2d1-319b0d5fcc94/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6c9528c8-c652-4892-8645-42a68e8dca6c
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1049431
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates processes via WMI
Disables UAC (registry)
Drops executable to a common third party application directory
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 681925 Sample: 0f009ca3c6662f5ee12f5f6c44a... Startdate: 10/08/2022 Architecture: WINDOWS Score: 92 43 Antivirus detection for dropped file 2->43 45 Antivirus / Scanner detection for submitted sample 2->45 47 Yara detected DCRat 2->47 49 3 other signatures 2->49 8 0f009ca3c6662f5ee12f5f6c44a942b929c0c52b9a473.exe 3 10 2->8         started        11 fontdrvhost.exe 2 2->11         started        14 spoolsv.exe 2->14         started        16 17 other processes 2->16 process3 file4 37 C:\Users\user\AppData\...\componentWeb.exe, PE32 8->37 dropped 39 C:\Users\user\AppData\Roaming\...\FdT2g.vbe, data 8->39 dropped 18 wscript.exe 1 8->18         started        59 Antivirus detection for dropped file 11->59 61 Machine Learning detection for dropped file 11->61 signatures5 process6 process7 20 cmd.exe 1 18->20         started        process8 22 componentWeb.exe 2 33 20->22         started        27 conhost.exe 20->27         started        dnsIp9 41 192.168.2.1 unknown unknown 22->41 29 C:\Users\Public\Music\RuntimeBroker.exe, PE32 22->29 dropped 31 C:\Recovery\winlogon.exe, PE32 22->31 dropped 33 C:\Recovery\spoolsv.exe, PE32 22->33 dropped 35 12 other files (10 malicious) 22->35 dropped 51 Antivirus detection for dropped file 22->51 53 Machine Learning detection for dropped file 22->53 55 Disables UAC (registry) 22->55 57 3 other signatures 22->57 file10 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0f009ca3c6662f5ee12f5f6c44a942b929c0c52b9a473872ce9dd4ac4a2ebf5a/
Threat name:
ByteCode-MSIL.Trojan.ZmutzyLscpt
Create hunting rule
Status:
Malicious
First seen:
2022-08-10 18:56:18 UTC
File Type:
PE (Exe)
Extracted files:
25
AV detection:
24 of 39 (61.54%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=b4ajzi6gmyxv5yjpl5wejkkcxeu4brjltjdtq4wotxkkysrox5na._file
Verdict:
malicious
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat evasion infostealer rat spyware stealer trojan
Link:
https://tria.ge/reports/220810-xlcacadgan/
Behaviour
Creates scheduled task(s)
Modifies registry class
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Disables Task Manager via registry modification
Executes dropped EXE
DCRat payload
DcRat
Process spawned unexpected child process
UAC bypass
Unpacked files
SH256 hash:
63d6562298a2b92cc06ab9b88b2788bbfb3f5e58cb9fcdcb85108b160fe83066
MD5 hash:
9c5d0d589770e011ba91e4be7289406b
SHA1 hash:
fbc3315a671fe8682872133e7fbf33cce581d9bb
Link:
https://www.unpac.me/results/148a647f-105c-4aec-abc0-ea3f0a6d8548/
SH256 hash:
bb861239ea9b137e6f9fd758f4844ed2f3d30c0ba0c29340336fb2f2edf717b5
MD5 hash:
185096a74eba829379b3c962dc4cdc8b
SHA1 hash:
d9deeeaad22d2ec41e67c35107b842e09b743e0a
Link:
https://www.unpac.me/results/148a647f-105c-4aec-abc0-ea3f0a6d8548/
SH256 hash:
fece55a699cc9afe977b2a655ee983f08542487337f0b945929207636412ebc3
MD5 hash:
5788edb7472c9533c865871f496fb04b
SHA1 hash:
d9be943ebab1e77a15102b33dd64f5c12fa51f17
Link:
https://www.unpac.me/results/148a647f-105c-4aec-abc0-ea3f0a6d8548/
SH256 hash:
e5728118fe3a9875ff78d8c378671c7a8464afc9781022acdefa4cdc25a0c95c
MD5 hash:
038f8e2e5008962e72573cc6632865b9
SHA1 hash:
c34a651084d1896d96971e2962618d3245ae2bcc
Link:
https://www.unpac.me/results/148a647f-105c-4aec-abc0-ea3f0a6d8548/
SH256 hash:
616dd812c5389a40747e34198b37b682fabb8460466a3f38b2f1897c87340395
MD5 hash:
171b0edf6d2279e0f993649d054cfa65
SHA1 hash:
4facde012877346f3243ba974bdc9dac944d9588
Link:
https://www.unpac.me/results/148a647f-105c-4aec-abc0-ea3f0a6d8548/
SH256 hash:
0f009ca3c6662f5ee12f5f6c44a942b929c0c52b9a473872ce9dd4ac4a2ebf5a
MD5 hash:
e178ecc65c559899109404b364c97c0b
SHA1 hash:
bf53524027cb51af3da49734dc1bace1db1a89a0
Link:
https://www.unpac.me/results/148a647f-105c-4aec-abc0-ea3f0a6d8548/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0f009ca3c666/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0f009ca3c6662f5ee12f5f6c44a942b929c0c52b9a473872ce9dd4ac4a2ebf5a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/297726/

Comments