MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12417a99e17bd57fd22a4b7af2e46899c07d833f6d5aab931c8bc669f0ed06ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 15


Intelligence 15 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 12417a99e17bd57fd22a4b7af2e46899c07d833f6d5aab931c8bc669f0ed06ba
SHA3-384 hash: c382a4b82216c9e147177be134f68c14faf6d580d3468395c1f8fae3524c1b67c4d194c74e921349acac0790d088455d
SHA1 hash: 5a1a8b1700bb4065e263fb9974dc98aabed1f30c
MD5 hash: 846b6c06cb80af594a2248fcb4a64af2
humanhash: magnesium-cup-autumn-network
File name:846B6C06CB80AF594A2248FCB4A64AF2.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:4'054'392 bytes
First seen:2024-01-25 23:30:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (389 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 98304:yGsHJhktLsh+zBBzcmvJa8C4Nx3tFeV5lwaPvi:hsH2vlcmvJDC4NVeV5SUq
Threatray 1'010 similar samples on MalwareBazaar
TLSH T1B416F1067A925E72C2611B324267023D92A0D7267661FF5B361F2197ED0B7F18B336B3
TrID 74.5% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
16.2% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
2.9% (.EXE) Win64 Executable (generic) (10523/12/4)
1.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://852377cm.nyashland.top/requestSecurePacketServerMultidefaultTrackPublicUploads.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
409
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
12417a99e17bd57fd22a4b7af2e46899c07d833f6d5aab931c8bc669f0ed06ba.zip
Verdict:
Malicious activity
Analysis date:
2024-01-26 04:13:47 UTC
Tags:
dcrat rat
Link:
https://app.any.run/tasks/ce4dbb0b-0245-46b4-96f7-4e9a9d276ff0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/472966/
Detection(s):
SecuriteInfo.com.VBS.Encrypted.Gen.UNOFFICIAL
Create hunting rule

Win.Packed.Uztuby-10009381-0
Create hunting rule

Win.Packed.QuasarRAT-10014495-0
Create hunting rule

Win.Packed.Uztuby-10015486-0
Create hunting rule

Win.Packed.Uztuby-10015902-0
Create hunting rule

Win.Packed.Uztuby-10017372-0
Create hunting rule

Win.Packed.Uztuby-10017373-0
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Launching a process
Loading a suspicious library
Using the Windows Management Instrumentation requests
Moving a file to the Program Files subdirectory
Creating a file in the %temp% subdirectories
Creating a file in the Program Files subdirectories
Replacing executable files
Blocking a possibility to launch for the Windows Task Manager (taskmgr)
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Enabling autorun
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
alien fingerprint installer overlay packed packed sfx
Link:
https://www.filescan.io/uploads/65b2ef3af3cf17c17b7a3d29/reports/c1104bda-c6d1-43e4-a28a-661802346038/overview
Verdict:
Malicious
Labled as:
Trojan.MSIL.Basic.8.Gen;Trojan.Uztuby
Link:
https://www.hybrid-analysis.com/sample/12417a99e17bd57fd22a4b7af2e46899c07d833f6d5aab931c8bc669f0ed06ba
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ef60f4bb-6315-4ba9-8690-76c7682d0bd6
Result
Threat name:
DCRat, zgRAT
Create hunting rule
Detection:
malicious
Classification:
spre.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1381429
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Disable Task Manager(disabletaskmgr)
Disables the Windows task manager (taskmgr)
Drops PE files with benign system names
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Snort IDS alert for network traffic
Suspicious execution chain found
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected DCRat
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1381429 Sample: lIGqSYlwHs.exe Startdate: 26/01/2024 Architecture: WINDOWS Score: 100 77 Snort IDS alert for network traffic 2->77 79 Antivirus detection for URL or domain 2->79 81 Antivirus detection for dropped file 2->81 83 8 other signatures 2->83 10 lIGqSYlwHs.exe 3 6 2->10         started        13 csrss.exe 2->13         started        16 ujZHLNKJmwcPeYu.exe 2->16         started        18 4 other processes 2->18 process3 file4 73 C:\...\ComponentwinPerfNet.exe, PE32 10->73 dropped 75 PtfJmi7BuwHlVeqkaZ...Lcf5ECpagswKBYp.vbe, data 10->75 dropped 20 wscript.exe 1 10->20         started        103 Antivirus detection for dropped file 13->103 105 Multi AV Scanner detection for dropped file 13->105 107 Machine Learning detection for dropped file 13->107 signatures5 process6 signatures7 87 Windows Scripting host queries suspicious COM object (likely to drop second stage) 20->87 89 Suspicious execution chain found 20->89 23 cmd.exe 20->23         started        process8 process9 25 ComponentwinPerfNet.exe 11 48 23->25         started        29 reg.exe 1 1 23->29         started        31 conhost.exe 23->31         started        file10 65 C:\Users\user\Desktop\zuOItHQB.log, PE32 25->65 dropped 67 C:\Users\user\Desktop\uIkqWOtE.log, PE32 25->67 dropped 69 C:\Users\user\Desktop\tuCQmslH.log, PE32 25->69 dropped 71 24 other malicious files 25->71 dropped 91 Antivirus detection for dropped file 25->91 93 Multi AV Scanner detection for dropped file 25->93 95 Creates an undocumented autostart registry key 25->95 101 6 other signatures 25->101 33 csc.exe 4 25->33         started        37 csc.exe 4 25->37         started        39 cmd.exe 25->39         started        41 23 other processes 25->41 97 Disable Task Manager(disabletaskmgr) 29->97 99 Disables the Windows task manager (taskmgr) 29->99 signatures11 process12 file13 61 C:\Program Files (x86)\...\msedge.exe, PE32 33->61 dropped 85 Infects executable files (exe, dll, sys, html) 33->85 43 conhost.exe 33->43         started        45 cvtres.exe 1 33->45         started        63 C:\Windows\...\SecurityHealthSystray.exe, PE32 37->63 dropped 47 conhost.exe 37->47         started        49 cvtres.exe 1 37->49         started        57 3 other processes 39->57 51 conhost.exe 41->51         started        53 conhost.exe 41->53         started        55 conhost.exe 41->55         started        59 16 other processes 41->59 signatures14 process15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/12417a99e17bd57fd22a4b7af2e46899c07d833f6d5aab931c8bc669f0ed06ba
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/12417a99e17bd57fd22a4b7af2e46899c07d833f6d5aab931c8bc669f0ed06ba/
Threat name:
ByteCode-MSIL.Trojan.Uztuby
Create hunting rule
Status:
Malicious
First seen:
2024-01-23 15:20:00 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cjaxvgpbppkx7urkjn5pfzdithah3az7nvnkxey4rpdgt4hna25a._file
Verdict:
malicious
Similar samples:
0537c1263ee662b719101b91b8f8ce37fa4e55caea8e8f6acc00e314d32a13f0
DCRat
46e646dcfb73f26f153653b020f9871da0dc1bbd39b518e159616e352ebee9fc
DCRat
50d3139540de39192258ecca5c0320ffb78580edb8b4d986d5514daad1f2d3dd
DCRat
521ae26c914c5ed46c3de21fb35037ed5b99540e11d45bbec7ebe24e45bb741f
DCRat
91961eaa9827da1b3d02c59058af785b066268490135d84c57d4a3263a832469
DCRat
b95da950b192a24ecf7fdd74fb8e2020a5f89e48b6193f5042321b7050447b10
DCRat
c2958b80b0f33e4725e2c8aed24dbb259d68198a970385afa3ed2e8df0280a08
DCRat
ca45a1e98effa71c140cff33cead61a77779f1bceef0e6a51e24d09f7daf3987
DCRat
+ 1'000 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat evasion persistence rat spyware stealer
Link:
https://tria.ge/reports/240125-3hn3mahee5/
Behaviour
Creates scheduled task(s)
Modifies registry class
Modifies registry key
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Disables Task Manager via registry modification
Detect ZGRat V1
Modifies WinLogon for persistence
Process spawned unexpected child process
ZGRat
Unpacked files
SH256 hash:
03a31293acd1038ca915a06c0c461a732d6db141494a6d1de1f15503fb700f1d
MD5 hash:
c2853ae3448a09c724d5d5e511fed2e4
SHA1 hash:
82792450baa017b8745ee1bd6e3ad6cc8135f9cb
Detections:
INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Link:
https://www.unpac.me/results/de4834e5-1f9e-42b5-97ae-bda119baa228/
SH256 hash:
12417a99e17bd57fd22a4b7af2e46899c07d833f6d5aab931c8bc669f0ed06ba
MD5 hash:
846b6c06cb80af594a2248fcb4a64af2
SHA1 hash:
5a1a8b1700bb4065e263fb9974dc98aabed1f30c
Detections:
INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Link:
https://www.unpac.me/results/de4834e5-1f9e-42b5-97ae-bda119baa228/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/12417a99e17b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/12417a99e17bd57fd22a4b7af2e46899c07d833f6d5aab931c8bc669f0ed06ba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with unregistered version of .NET Reactor
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/472966/

Comments