MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f7d9439b10487d32039fc54b625bf9345e3b3c674d2dd6e80bdaac163f7b35d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DCRat

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 2 File information Comments

SHA256 hash:	1f7d9439b10487d32039fc54b625bf9345e3b3c674d2dd6e80bdaac163f7b35d
SHA3-384 hash:	bebff0dbda9bfeb6029d34b828b06ec8ac20e65eb410576e7f1514b4db60eacf18e0270b059ab008b9aa67e0a502c299
SHA1 hash:	f98d52bdbddb1c9b79995ff12bc74aa75cd8724d
MD5 hash:	e004e5c1bec4f7ae13425ed1d52d9052
humanhash:	cup-autumn-single-connecticut
File name:	1F7D9439B10487D32039FC54B625BF9345E3B3C674D2D.exe
Download:	download sample
Signature	DCRat Create hunting rule
File size:	1'033'728 bytes
First seen:	2021-12-24 18:31:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:qsdvefsRi8h25C6O2RLiHTaAo7fP6wxqhMKddTH/Ba04eHJveqi+d98yEWOqn4:qUgo2fLilhdo0jJvc+YVb+4
Threatray	359 similar samples on MalwareBazaar
TLSH	T19F2539127A49CE06D169263BC5EF406447BCAD497A62DB1A7EAF339D60017E70E0E1CF
Reporter	abuse_ch
Tags:	DCRat exe

abuse_ch

DCRat C2:
http://62.109.30.251/ImageResoulstion.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://62.109.30.251/ImageResoulstion.php	https://threatfox.abuse.ch/ioc/227759/

Intelligence

File Origin

# of uploads :

# of downloads :

170

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

1F7D9439B10487D32039FC54B625BF9345E3B3C674D2D.exe

Verdict:

Malicious activity

Analysis date:

2021-12-24 18:35:37 UTC

Tags:

trojan rat backdoor dcrat

Link:

https://app.any.run/tasks/17b07d99-575f-49c1-bec2-ddff5dd1d195

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/216228/

Detection(s):

Win.Malware.Uztuby-9848412-0

Win.Packed.Uztuby-9851623-0

Win.Packed.Uztuby-9875336-0

Win.Packed.Basic-9908857-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file

Using the Windows Management Instrumentation requests

Launching a process

Creating a file in the system32 subdirectories

Creating a file in the Windows subdirectories

Creating a process from a recently created file

Creating a process with a hidden window

Sending an HTTP GET request

DNS request

Sending a custom TCP request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Enabling autorun by creating a file

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug anti-vm greyware hacktool keylogger obfuscated packed quasar stealer

Link:

https://www.filescan.io/uploads/61c61227ec6c6c14a9efc502/reports/fb383a30-99e6-46f0-9ce1-074a29aa5875/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e374bce4-710f-463f-b047-0cffc526c42e

Result

Threat name:

DCRat

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/912546

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Creates an autostart registry key pointing to binary in C:\Windows

Creates multiple autostart registry keys

Creates processes via WMI

Drops executables to the windows directory (C:\Windows) and starts them

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected DCRat

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1f7d9439b10487d32039fc54b625bf9345e3b3c674d2dd6e80bdaac163f7b35d/

Threat name:

ByteCode-MSIL.Backdoor.LightStone

Status:

Malicious

First seen:

2021-10-01 07:27:31 UTC

File Type:

PE (.Net Exe)

AV detection:

29 of 43 (67.44%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=d56zionrasd5gibz7rklmjn7snc6hm6gotjn23uaxwvmcy7xwnoq._file

Verdict:

malicious

DCRat

2f09f4d2b8e06f116dd784829712dcd3bb9528e580ccf6313e4c99fbb89a7792

DCRat

4df9040a0d79098abfd8c1c7bf1c3834447ba5b2deb28025403aeff58a644520

DCRat

64a5d5ff4b9b7852b6a20bb8af8502bf2d08c0f3fd840bb582911d6fdbaf4f8e

DCRat

7be1596a18ba79bae65ad35dec1f9b568a7f73b5b055a4848de3766fa5b1d6e3

DCRat

8d7228ae5c573a10f0e86fc84ca9c5d6e1894428af1b582fdb54f6caf446bf3c

DCRat

c39d68efeada072170dc0be43e29b61f92cd62f70e3cc4ef31fd44d1aa44d5c0

DCRat

d7fa1b64c4a5a79700791c113b5b2594a2194a8ca83bf18494337ef12d88fdb6

DCRat

+ 349 additional samples on MalwareBazaar

Result

Malware family:

dcrat

Score:

10/10

Tags:

family:dcrat infostealer persistence rat suricata

Link:

https://tria.ge/reports/211224-w6mfdadhap/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Drops file in Windows directory

Drops file in System32 directory

Adds Run key to start application

Executes dropped EXE

DCRat Payload

DcRat

Process spawned unexpected child process

suricata: ET MALWARE DCRAT Activity (GET)

Unpacked files

SH256 hash:

49dd10bf34acb11a37a3b3250ab70f542b1739f74ef7ab4e90634520e7994795

MD5 hash:

9d9c165c33e6fc4fa90ab538695b74c3

SHA1 hash:

cb6a70b457625e5eeafd12464e883b7c9c78229c

Link:

https://www.unpac.me/results/99de7856-794d-43cc-9217-9322f17a1dd5/

SH256 hash:

f4dbaec73ccd5c6431cf902d7327ddb9f2c87de2434226bb18948ba4ee5755ed

MD5 hash:

b45e9d751c574567757174ac44bf54a1

SHA1 hash:

642fc5f04600f8a8ba6feeec08cf94f281c40d0d

Link:

https://www.unpac.me/results/99de7856-794d-43cc-9217-9322f17a1dd5/

Parent samples :

56b97987918aafadb2b070083e19236388c3ac087b80a8d548c07ff31252eb17
6176ead880248cbccdf7df359034699e937249e13608b788be1b25158b09c1ca
3927622ef8e0a99764011d9f98f47bf0eb1a39df514a7e02e78d3cc7773c4944
0daea272c1fa7bb54113cfc6948f10b9346f2cf05000ac5b57aaed5cef8dae05
e0fa9c62364826149547d32728d06d155bdc6a54e90554695f8039bd7b73d036

SH256 hash:

934543028f3cf24a7744885e41ab0a04a6b04a83b35e159518cdd6185c69369d

MD5 hash:

d9aa68af2a4126f1b5a2b94752def123

SHA1 hash:

6eacb1369f628c9c4036efcac4a6ec2d6b4a5ac7

Link:

https://www.unpac.me/results/99de7856-794d-43cc-9217-9322f17a1dd5/

SH256 hash:

1f7d9439b10487d32039fc54b625bf9345e3b3c674d2dd6e80bdaac163f7b35d

MD5 hash:

e004e5c1bec4f7ae13425ed1d52d9052

SHA1 hash:

f98d52bdbddb1c9b79995ff12bc74aa75cd8724d

Link:

https://www.unpac.me/results/99de7856-794d-43cc-9217-9322f17a1dd5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1f7d9439b10487d32039fc54b625bf9345e3b3c674d2dd6e80bdaac163f7b35d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/216228/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample