MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2af462168bad2cb895fdaf9f778fa2021d8e77ba7212f02f3cb3f3ac0f03431d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2af462168bad2cb895fdaf9f778fa2021d8e77ba7212f02f3cb3f3ac0f03431d
SHA3-384 hash: 1920cef3cd5e7197ad188bc85f79af3a709b2fe0454244aad3d51df75db9fe3e52768099db9598ceaf69c6a57631de94
SHA1 hash: a9bd0155ab9bf43fd0fd92ade8e860333cbac098
MD5 hash: 4168406dbd28c5b416f4435e0c40644c
humanhash: blue-ack-triple-mango
File name:4168406dbd28c5b416f4435e0c40644c.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:2'377'990 bytes
First seen:2024-02-03 23:55:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (390 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 49152:tBXEr/iSw+0VETjpsFjo4HceGVhp3aZRle4WhpjNp8Wb:nULpw+5TT4HOZahe4GNp8S
Threatray 1'039 similar samples on MalwareBazaar
TLSH T12DB523117DD5CC73C2561A725AF1F330A57EBA603FA68E87C78019ACED35EC4A6207A1
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e0f1d3d8b1a1c2c0 (1 x DCRat)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://907916cm.nyashtech.top/eternalsecureHttpPacketBigloadsqlTest.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
534
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/474449/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
alien anti-vm fingerprint installer lolbin overlay packed packed setupapi sfx shdocvw shell32
Link:
https://www.filescan.io/uploads/65bed2931c125702ab38d0ce/reports/8168b3e0-4993-401b-bf8d-0002c5520fc0/overview
Verdict:
Malicious
Labled as:
Trojan.Uztuby
Link:
https://www.hybrid-analysis.com/sample/2af462168bad2cb895fdaf9f778fa2021d8e77ba7212f02f3cb3f3ac0f03431d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/29735b08-1984-4d50-9dde-3372677ce018
Result
Threat name:
DCRat, PureLog Stealer, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1386230
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Disable Task Manager(disabletaskmgr)
Disables the Windows task manager (taskmgr)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1386230 Sample: BnbyU8GVp0.exe Startdate: 04/02/2024 Architecture: WINDOWS Score: 100 61 907916cm.nyashtech.top 2->61 71 Snort IDS alert for network traffic 2->71 73 Multi AV Scanner detection for domain / URL 2->73 75 Antivirus detection for URL or domain 2->75 77 8 other signatures 2->77 11 BnbyU8GVp0.exe 3 6 2->11         started        signatures3 process4 file5 49 C:\...\AgentcomponentWinhostDll.exe, PE32 11->49 dropped 51 1ldIcBYEQg7RjcVGSq...7htAmpoYpl9wYMA.vbe, data 11->51 dropped 14 wscript.exe 1 11->14         started        process6 signatures7 93 Windows Scripting host queries suspicious COM object (likely to drop second stage) 14->93 17 cmd.exe 1 14->17         started        process8 process9 19 AgentcomponentWinhostDll.exe 3 25 17->19         started        23 reg.exe 1 1 17->23         started        25 conhost.exe 17->25         started        file10 41 C:\Users\user\Desktop\vEDbTnub.log, PE32 19->41 dropped 43 C:\Users\user\Desktop\mWjLjLpt.log, PE32 19->43 dropped 45 C:\Users\user\Desktop\hiRMHOaF.log, PE32 19->45 dropped 47 11 other malicious files 19->47 dropped 79 Antivirus detection for dropped file 19->79 81 Multi AV Scanner detection for dropped file 19->81 83 Machine Learning detection for dropped file 19->83 27 cmd.exe 1 19->27         started        85 Disable Task Manager(disabletaskmgr) 23->85 87 Disables the Windows task manager (taskmgr) 23->87 signatures11 process12 signatures13 89 Uses ping.exe to sleep 27->89 91 Uses ping.exe to check the status of other devices and networks 27->91 30 FxRZlZEsxbUCuZBTMxwR.exe 14 500 27->30         started        35 conhost.exe 27->35         started        37 PING.EXE 1 27->37         started        39 chcp.com 1 27->39         started        process14 dnsIp15 63 907916cm.nyashtech.top 172.67.178.175, 49707, 49708, 49711 CLOUDFLARENETUS United States 30->63 53 C:\Users\user\Desktop\ykZBkAPr.log, PE32 30->53 dropped 55 C:\Users\user\Desktop\rnlCHlVC.log, PE32 30->55 dropped 57 C:\Users\user\Desktop\owvLApVJ.log, PE32 30->57 dropped 59 5 other malicious files 30->59 dropped 65 Multi AV Scanner detection for dropped file 30->65 67 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 30->67 69 Tries to harvest and steal browser information (history, passwords, etc) 30->69 file16 signatures17
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2af462168bad2cb895fdaf9f778fa2021d8e77ba7212f02f3cb3f3ac0f03431d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2af462168bad2cb895fdaf9f778fa2021d8e77ba7212f02f3cb3f3ac0f03431d/
Threat name:
ByteCode-MSIL.Trojan.Uztuby
Create hunting rule
Status:
Malicious
First seen:
2024-01-15 00:25:14 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fl2gefulvuwlrfp5v6pxpd5caioy4552oijpalz4wpz2ydydimoq._file
Verdict:
unknown
Similar samples:
2b3cfcebf56ccf096cf122b8ef31b0dafbb1244a6687df6839d918a886651018
DCRat
50d3139540de39192258ecca5c0320ffb78580edb8b4d986d5514daad1f2d3dd
DCRat
8b8de9e06ccd838b76c8b298faa321972978d09ac85ef82c9da08bb1cd08f90e
DCRat
a43b57ade3c34d24fbe7999e02ea4343cea4ba836b3fafc5602a76cd00389d4f
DCRat
b95da950b192a24ecf7fdd74fb8e2020a5f89e48b6193f5042321b7050447b10
DCRat
bb6dd92c033f4ff84f274b05465973002b52ae934bd36e8e1a7bbb74a2aff858
DCRat
c2958b80b0f33e4725e2c8aed24dbb259d68198a970385afa3ed2e8df0280a08
DCRat
+ 1'029 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat evasion rat spyware stealer
Link:
https://tria.ge/reports/240203-3yz5tscgc8/
Behaviour
Modifies registry class
Modifies registry key
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Disables Task Manager via registry modification
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
f5cfd67248766681a0adf219ddd04a1ea1c78157be90a7d7c92d115bd1fab22c
MD5 hash:
900246653d3c4582b86ba8c3f363c814
SHA1 hash:
ebb4194497160b7770cd9c543141a9bce458fe79
Detections:
INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Link:
https://www.unpac.me/results/701cab42-c2f8-4509-9d42-b05c496329c5/
SH256 hash:
2af462168bad2cb895fdaf9f778fa2021d8e77ba7212f02f3cb3f3ac0f03431d
MD5 hash:
4168406dbd28c5b416f4435e0c40644c
SHA1 hash:
a9bd0155ab9bf43fd0fd92ade8e860333cbac098
Link:
https://www.unpac.me/results/701cab42-c2f8-4509-9d42-b05c496329c5/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2af462168bad/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2af462168bad2cb895fdaf9f778fa2021d8e77ba7212f02f3cb3f3ac0f03431d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/474449/

Comments