MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f10d88699eec9ef46958ac79f574ded8b9a7f4ba4d2783370d628e32378a6ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f10d88699eec9ef46958ac79f574ded8b9a7f4ba4d2783370d628e32378a6ad
SHA3-384 hash: f4b69874997bbd3f2d4b4cf6985fbe2d2a2dc18aefacae688ddac81135e3df74a7b3801df10ce224c3362581d61c48fd
SHA1 hash: 92f0deff81b858db8064136b67ee8642790596c2
MD5 hash: b2687948f59b6bbeede996c0c972ab88
humanhash: bacon-winner-blue-eleven
File name:b2687948f59b6bbeede996c0c972ab88.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'455'733 bytes
First seen:2022-03-05 10:15:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:P2G/nvxW3WMH0YoY8SlJUFr/C1DdRd59OfO0RPhj+:PbA31UYhjJUFrQRvqF8
Threatray 2'683 similar samples on MalwareBazaar
TLSH T1F8656C027A46CD63E4650637C9EF4118C3BCBD922B26DB5B7E5A339D15123A3AD092CF
File icon (PE):PE icon
dhash icon b270e892caf270b2 (1 x DCRat)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://188.120.224.97/javascriptMariadb/Requestlongpollflowertrack.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://188.120.224.97/javascriptMariadb/Requestlongpollflowertrack.php https://threatfox.abuse.ch/ioc/392568/

Intelligence

File Origin
# of uploads :
1
# of downloads :
283
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/247520/
Detection(s):
Win.Trojan.Uztuby-9855059-0
Create hunting rule

Win.Ransomware.Clinix-9868408-0
Create hunting rule

Win.Packed.Uztuby-9937390-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a file in the system32 subdirectories
Creating a file in the Program Files subdirectories
Creating a file in the Windows subdirectories
Creating a file in the %temp% directory
Sending a UDP request
Sending an HTTP GET request
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/8277/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/58bed1d2-ea19-4632-9c85-d775606e113d
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/951160
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates an autostart registry key pointing to binary in C:\Windows
Creates multiple autostart registry keys
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: File Created with System Process Name
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 583641 Sample: xF0MVI68DZ.exe Startdate: 05/03/2022 Architecture: WINDOWS Score: 100 51 Found malware configuration 2->51 53 Antivirus detection for URL or domain 2->53 55 Antivirus detection for dropped file 2->55 57 9 other signatures 2->57 10 xF0MVI68DZ.exe 3 6 2->10         started        13 dllhost.exe 2 2->13         started        16 fontdrvhost.exe 3 2->16         started        18 14 other processes 2->18 process3 file4 47 C:\perfCrtSvc\perfCrtSvcintoSessionNet.exe, PE32 10->47 dropped 49 C:\perfCrtSvc\3JokJLSkpoG9ucUKE7yu.vbe, data 10->49 dropped 20 wscript.exe 1 10->20         started        67 Antivirus detection for dropped file 13->67 69 Multi AV Scanner detection for dropped file 13->69 71 Machine Learning detection for dropped file 13->71 signatures5 process6 process7 22 cmd.exe 1 20->22         started        process8 24 perfCrtSvcintoSessionNet.exe 10 26 22->24         started        28 conhost.exe 22->28         started        file9 39 C:\Windows\...\backgroundTaskHost.exe, PE32 24->39 dropped 41 C:\Windows\System32\setbcdlocale\lsass.exe, PE32 24->41 dropped 43 C:\Windows\System32\...\fontdrvhost.exe, PE32 24->43 dropped 45 5 other malicious files 24->45 dropped 59 Antivirus detection for dropped file 24->59 61 Machine Learning detection for dropped file 24->61 63 Creates multiple autostart registry keys 24->63 65 3 other signatures 24->65 30 cmd.exe 24->30         started        signatures10 process11 signatures12 73 Drops executables to the windows directory (C:\Windows) and starts them 30->73 33 conhost.exe 30->33         started        35 w32tm.exe 30->35         started        37 fontdrvhost.exe 30->37         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0f10d88699eec9ef46958ac79f574ded8b9a7f4ba4d2783370d628e32378a6ad/
Threat name:
Win32.Trojan.Uztuby
Create hunting rule
Status:
Malicious
First seen:
2022-02-26 14:21:08 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
24 of 42 (57.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=b4inrbuz53e66ruvrldz6v2n5wfzu72lutjhqm3q2yuogi3yu2wq._file
Verdict:
malicious
Similar samples:
8554055185d6abbe893c332a0683b3f493ab6850c62a5901cd9c7ae232f5d63b
DCRat
bd201923cb73953bf498fa38605be4f38e617e1dea209ab124a0f3c7b3a14f79
DCRat
cfa36f8b69b482615ce9dfe611d1670c37a29959c6070d7da92fb6418c6136ce
DCRat
d810072e7363c14184f61fee52b2968f7394ed84a7bb1ff52dba033b30ce17e0
DCRat
e6ad5368a0730c7bdae479653215ef1b7b79237f2bff3cde9bce4debe22b62be
DCRat
+ 2'673 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer persistence rat spyware stealer
Link:
https://tria.ge/reports/220305-massvagdd9/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in System32 directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
DcRat
Process spawned unexpected child process
Unpacked files
SH256 hash:
4d95e78bb8e3847805c34450dce2da1f2b9f33cc1412281878b1a31c7db5c7b3
MD5 hash:
631952acdb73b96c90f83634e6c5d7c2
SHA1 hash:
886c9323ff1b246a0f2a8ab0a2222ef79f10ce44
Link:
https://www.unpac.me/results/acf10f75-5af3-40e3-a1d5-7e7d35ee7b5f/
SH256 hash:
92e520c976268b1cfa9b3fa44bf1c11834bcd00b91b9a399ef637189c8c819e8
MD5 hash:
20df5b3e0f6a0602789e8aedc00f62da
SHA1 hash:
4231c7a5d12ed74bb67b67db090293e6c0c16864
Link:
https://www.unpac.me/results/acf10f75-5af3-40e3-a1d5-7e7d35ee7b5f/
SH256 hash:
bc0e14fb723a0fbc91badfc41e64e3e2956a76663e479ed575684a6ff6165f3e
MD5 hash:
a644861cccde13d14066697a8e4a0905
SHA1 hash:
bcee0a56d975bf3595d8f97e70c3acdb4dd59762
Link:
https://www.unpac.me/results/acf10f75-5af3-40e3-a1d5-7e7d35ee7b5f/
SH256 hash:
0f10d88699eec9ef46958ac79f574ded8b9a7f4ba4d2783370d628e32378a6ad
MD5 hash:
b2687948f59b6bbeede996c0c972ab88
SHA1 hash:
92f0deff81b858db8064136b67ee8642790596c2
Link:
https://www.unpac.me/results/acf10f75-5af3-40e3-a1d5-7e7d35ee7b5f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0f10d88699eec9ef46958ac79f574ded8b9a7f4ba4d2783370d628e32378a6ad

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/247520/

Comments