MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f950c613be68fd9e5b6cf87664cab0263c3d3b224458f526566631b21d44d26. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 12


Intelligence 12 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f950c613be68fd9e5b6cf87664cab0263c3d3b224458f526566631b21d44d26
SHA3-384 hash: ebe2b53c7c8c881180f024c2d050535002c82cf270ae93647c024078b216b687c571b162fd021ff3320e44939555f9d5
SHA1 hash: b401f0097636a828d5e54460d502a0c388458ecd
MD5 hash: 02e997b17d87f7de5abb0d54a22450f0
humanhash: london-neptune-louisiana-uncle
File name:02e997b17d87f7de5abb0d54a22450f0.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'617'875 bytes
First seen:2024-01-15 23:30:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (434 x NirCmd, 392 x DCRat, 52 x RedLineStealer)
ssdeep 24576:2TbBv5rUyXVhxc5KhZyYDqye9Hw2mTyv+0v8xovLCGEpdAHiz+F:IBJoMh5DvmHOq+rxojH9
TLSH T1E7751201BAD188B1EA33293752795721667CBC206F628FEBA3D05E1EDD312C0DB357A5
TrID 74.5% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
16.2% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
2.9% (.EXE) Win64 Executable (generic) (10523/12/4)
1.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://89.185.84.52/4Async/windows/PacketVideo_/GeoPollphp/40/ProtecttrackDownloads/Wordpress4Packet/linux7/protect/ApiprotectBaseWp/temporary8asyncAuth/EternalphpPacketGeoUpdateFlowerdownloads.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
377
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/471007/
Detection(s):
SecuriteInfo.com.VBS.Encrypted.Gen.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm installer lolbin overlay packed replace setupapi sfx shdocvw shell32 wscript
Link:
https://www.filescan.io/uploads/65a5c03794d1aebfb2a20271/reports/d3a4e271-ba12-4e47-b27c-7b5b80d97d58/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/0f950c613be68fd9e5b6cf87664cab0263c3d3b224458f526566631b21d44d26
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3c8180d4-c2a4-4eeb-ad28-d88e15dcc775
Result
Threat name:
DCRat, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1375048
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Snort IDS alert for network traffic
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected DCRat
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1375048 Sample: yQMb9WdMvF.exe Startdate: 16/01/2024 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic 2->51 53 Antivirus detection for dropped file 2->53 55 Antivirus / Scanner detection for submitted sample 2->55 57 7 other signatures 2->57 10 yQMb9WdMvF.exe 3 6 2->10         started        process3 file4 45 C:\...\mscombrowserbrokerSvc.exe, MS-DOS 10->45 dropped 47 C:\...OCULzNwQzNkjyObxDJBkkMxcVV8b.vbe, data 10->47 dropped 13 wscript.exe 1 10->13         started        process5 signatures6 79 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->79 16 cmd.exe 1 13->16         started        process7 process8 18 mscombrowserbrokerSvc.exe 3 16 16->18         started        22 conhost.exe 16->22         started        file9 37 C:\Users\user\Music\lsass.exe, MS-DOS 18->37 dropped 39 C:\Recovery\QldKZgzevXEenn.exe, MS-DOS 18->39 dropped 41 C:\...\fontdrvhost.exe, MS-DOS 18->41 dropped 43 3 other malicious files 18->43 dropped 59 Antivirus detection for dropped file 18->59 61 Multi AV Scanner detection for dropped file 18->61 63 Machine Learning detection for dropped file 18->63 65 Drops PE files with benign system names 18->65 24 cmd.exe 1 18->24         started        signatures10 process11 signatures12 67 Uses ping.exe to sleep 24->67 69 Uses ping.exe to check the status of other devices and networks 24->69 27 fontdrvhost.exe 14 2 24->27         started        31 conhost.exe 24->31         started        33 PING.EXE 1 24->33         started        35 chcp.com 1 24->35         started        process13 dnsIp14 49 89.185.84.52, 49712, 49713, 49714 OLIMP-SVYAZ-ASRU Russian Federation 27->49 71 Antivirus detection for dropped file 27->71 73 Multi AV Scanner detection for dropped file 27->73 75 Machine Learning detection for dropped file 27->75 77 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 27->77 signatures15
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0f950c613be68fd9e5b6cf87664cab0263c3d3b224458f526566631b21d44d26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0f950c613be68fd9e5b6cf87664cab0263c3d3b224458f526566631b21d44d26/
Threat name:
ByteCode-MSIL.Trojan.Uztuby
Create hunting rule
Status:
Malicious
First seen:
2024-01-12 00:17:42 UTC
File Type:
PE (Exe)
Extracted files:
22
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b6kqyyj342h5tznwz6dwmtflajr4hu5sercy6utfmzrrwioujuta._file
Verdict:
malicious
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat rat
Link:
https://tria.ge/reports/240115-3hpddsghbr/
Behaviour
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
84db972e28d7341f880b630b7044e401065cbbafa8cdafa9b8361802d9ec8f7c
MD5 hash:
1fd180a3f6a11142fa386a7ca0caaabc
SHA1 hash:
eb0e9f3645b5aa27a3c8290266c00311e5525697
Detections:
INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Link:
https://www.unpac.me/results/02e3ddec-60a6-4f38-8cb9-f2654208f2d3/
SH256 hash:
f054d636204a138e270801136770ffa7882257c46bd71de9bfd125da1510a6c3
MD5 hash:
2f2df1c859759e56d9203b28f84f98ab
SHA1 hash:
63c8acc90a22b7b0eaa53ad606ee5d8390a01495
Link:
https://www.unpac.me/results/02e3ddec-60a6-4f38-8cb9-f2654208f2d3/
SH256 hash:
e6b322713a729d09178e2bcdf60085f3333409095860a4ed861d4e8e9b76c51b
MD5 hash:
b469470503bba6be194ed53ed06ff092
SHA1 hash:
1cd9ac85926bc958d8b8fcdf1cf2cbe911fb3a1c
Link:
https://www.unpac.me/results/02e3ddec-60a6-4f38-8cb9-f2654208f2d3/
SH256 hash:
0f950c613be68fd9e5b6cf87664cab0263c3d3b224458f526566631b21d44d26
MD5 hash:
02e997b17d87f7de5abb0d54a22450f0
SHA1 hash:
b401f0097636a828d5e54460d502a0c388458ecd
Link:
https://www.unpac.me/results/02e3ddec-60a6-4f38-8cb9-f2654208f2d3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0f950c613be68fd9e5b6cf87664cab0263c3d3b224458f526566631b21d44d26

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:mpress_2_xx_net
Create hunting rule
Author:Kevin Falcoz
Description:MPRESS v2.XX .NET
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/471007/

Comments