MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2131b75617c740ddba1b808e0decc1e7054e34e6ce51c91bc4b848a52050e728. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2131b75617c740ddba1b808e0decc1e7054e34e6ce51c91bc4b848a52050e728
SHA3-384 hash: a97fe47b2a24dd4eb5eb084e781a971f2b808d946c65f27936449691d640dad616b494f81218e315b3605c4f301d0a89
SHA1 hash: 9c42ea5e12bc412974fd00fbe03dc5138bc48c24
MD5 hash: da07bcc8ba0d87ff635514ff0a5f1b6e
humanhash: romeo-item-steak-cup
File name:setup.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'421'421 bytes
First seen:2021-06-24 21:51:26 UTC
Last seen:2021-06-24 21:51:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:U2G/nvxW3Ww0t88QLaURYpsMRmGwW7R2wW7RQN92wW0RWNawW4RfOpsknwW7Rf6a:UbA308RLaURYpsMRmGwW7R2wW7RQN92I
Threatray 368 similar samples on MalwareBazaar
TLSH 556549037A8EDD92E4292A37C9EF546407B8FD017B66EB1A7E9B335C64113A30D0D5CA
Reporter Anonymous
Tags:DCRat exe


Avatar
Anonymous
We run a multi-gaming organisation/multi-game guild with a large amount of members, and receive targeted spearphishing and non-targeted malware typically RATs or keyloggers, attempting to compromise accounts and steal items.

On our forums, we also automatically quarantine new accounts that DM users links. These uploads are typically the outputs of online uploads, spambots, or users trying to steal kids' game accounts.

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://setlire.space/PythondbGeneratortraffic.php https://threatfox.abuse.ch/ioc/153629/

Intelligence

File Origin
# of uploads :
2
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
extract.zip
Verdict:
Malicious activity
Analysis date:
2021-06-24 17:50:36 UTC
Tags:
evasion trojan rat backdoor dcrat
Link:
https://app.any.run/tasks/dcd9d7e9-1fcd-4cd4-9a5d-eee639d04bff

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Dcrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/168156/
Detection(s):
Win.Malware.Uztuby-9848412-0
Create hunting rule

Win.Packed.Uztuby-9851623-0
Create hunting rule

Win.Trojan.Uztuby-9855059-0
Create hunting rule

Win.Ransomware.Clinix-9868408-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8f6a4981-3250-4f92-9eac-f3448b824f44
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/807799
Signature
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2131b75617c740ddba1b808e0decc1e7054e34e6ce51c91bc4b848a52050e728/
Threat name:
ByteCode-MSIL.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2021-06-24 21:52:22 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eey3ovqxy5an3oq3qcha33gb44cu4nhgzzi4sg6exbekkicq44ua._file
Verdict:
malicious
Similar samples:
23373334a8179c86c6873e56c035ba848ea8023e2d717fc449b7f29ac2455657
DCRat
6c3a2575d3325e7a0f520a5fefa0384855980461683e6c7463debbd668ab3258
DCRat
70d86fc8d1247dcd26ed0927411614973d45216d676978f768e14cb16d362536
DCRat
78710c49b37af00745534239b0d17c2e019a99f867492667592d131b77f0933f
DCRat
95f5464f22e6bbe285c912f7afd00836c7253babdf6b608cbbb5a063bb1f868f
DCRat
9ada53ed3ea8e1da6d93298c945e71179235f53baf6f363a37de83f1a977e148
DCRat
9dd91a17703dba0d4582e24431c17eac4fdca602ea8d14f4f43afcc2657b3bbc
DCRat
bf6e3cf654738116a14be298176fc12524154ee51f9a2424fa117ee5b47be53a
DCRat
d31dcb27d98e4e58b3210b325121812395dc8f64c7c20398d8144346a10d7350
DCRat
e46a16ade0a00728c59210acdcd131a5bab46470d9acb07afb58917a1e287456
DCRat
+ 358 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer rat spyware stealer
Link:
https://tria.ge/reports/210624-bmgbr9y76e/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
DCRat Payload
DcRat
Unpacked files
SH256 hash:
9ada53ed3ea8e1da6d93298c945e71179235f53baf6f363a37de83f1a977e148
MD5 hash:
207393bd86d010eb211b12f7e9a2faf1
SHA1 hash:
909df06527f2c27cfcccd21e36d743ebe08f9c9a
Link:
https://www.unpac.me/results/d63ed832-be9b-409f-8ecb-4304800667b9/
SH256 hash:
2131b75617c740ddba1b808e0decc1e7054e34e6ce51c91bc4b848a52050e728
MD5 hash:
da07bcc8ba0d87ff635514ff0a5f1b6e
SHA1 hash:
9c42ea5e12bc412974fd00fbe03dc5138bc48c24
Link:
https://www.unpac.me/results/d63ed832-be9b-409f-8ecb-4304800667b9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2131b75617c740ddba1b808e0decc1e7054e34e6ce51c91bc4b848a52050e728

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe 2131b75617c740ddba1b808e0decc1e7054e34e6ce51c91bc4b848a52050e728

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/168156/

Comments