MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2fd1a2e50342526d203ffdcbf53914350647d8b963c044d55d9061fc7b92923a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2fd1a2e50342526d203ffdcbf53914350647d8b963c044d55d9061fc7b92923a
SHA3-384 hash: 8334b5c809c085a3bd97bad8e6d66d10022d1e38896ca0468d4de19b1ee044100c41402559cc3155c36025cb1e30cb6a
SHA1 hash: 15bd9167ee126508e00af1727d290d7e5dd2fcde
MD5 hash: 53412ae0fc2d28c7c10622e88ab578bd
humanhash: sink-shade-batman-bakerloo
File name:2fd1a2e50342526d203ffdcbf53914350647d8b963c044d55d9061fc7b92923a
Download: download sample
Signature DCRat
Create hunting rule
File size:854'839 bytes
First seen:2021-03-01 14:46:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 12288:0Qnk3GDYKGcblwtX+t4Y8P3USw5hWO0WbqhGvKfTy4iUkMEuROMA:IAOcZwXYY3USw5VFWyKfeUXEuR1A
Threatray 434 similar samples on MalwareBazaar
TLSH 90051242B5D18872D93319324A39AB156D3D7D201F24DB6FBBE42A6DDA340D07638BB3
Reporter c3rb3ru5d3d53c2
Tags:DCRat


Avatar
c3rb3ru5d3d53c
@c3rb3ru5d3d53c Live Hunt

Intelligence

File Origin
# of uploads :
1
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2fd1a2e50342526d203ffdcbf53914350647d8b963c044d55d9061fc7b92923a
Verdict:
Malicious activity
Analysis date:
2021-03-01 15:12:42 UTC
Tags:
trojan rat backdoor dcrat evasion
Link:
https://app.any.run/tasks/f7891401-735a-487b-8dd9-68c6524440f1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/120329/
Detection(s):
Win.Trojan.Uztuby-9774367-0
Create hunting rule

SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Unauthorized injection to a recently created process
Stealing user critical data
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/622315
Signature
.NET source code contains in memory code execution
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 360150 Sample: F4eUem6E98 Startdate: 01/03/2021 Architecture: WINDOWS Score: 100 85 Found malware configuration 2->85 87 Antivirus detection for dropped file 2->87 89 Multi AV Scanner detection for submitted file 2->89 91 9 other signatures 2->91 13 F4eUem6E98.exe 3 6 2->13         started        17 msiexec.exe 2->17         started        19 fontdrvhost.exe 2->19         started        21 GqbBduwHMytclOIWdyWXbQtMH.exe 16 12 2->21         started        process3 dnsIp4 77 C:\Adobe\u1S4O19DeLZXZY2hpjwJ.exe, PE32 13->77 dropped 103 Drops executable to a common third party application directory 13->103 24 wscript.exe 1 13->24         started        105 Antivirus detection for dropped file 17->105 107 Machine Learning detection for dropped file 17->107 109 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 17->109 79 ca17945.tmweb.ru 92.53.116.135, 49741, 49746, 49747 TIMEWEB-ASRU Russian Federation 21->79 81 ipinfo.io 216.239.32.21, 443, 49745 GOOGLEUS United States 21->81 83 192.168.2.1 unknown unknown 21->83 111 Tries to harvest and steal browser information (history, passwords, etc) 21->111 file5 signatures6 process7 process8 26 cmd.exe 1 24->26         started        process9 28 u1S4O19DeLZXZY2hpjwJ.exe 6 26->28         started        32 conhost.exe 26->32         started        34 conhost.exe 26->34         started        file10 75 C:\Adobe\security.exe, PE32 28->75 dropped 101 Drops executable to a common third party application directory 28->101 36 wscript.exe 1 28->36         started        signatures11 process12 process13 38 cmd.exe 1 36->38         started        process14 40 security.exe 1 17 38->40         started        44 conhost.exe 38->44         started        file15 67 C:\Windows\appcompat\...\msiexec.exe, PE32 40->67 dropped 69 C:\Recovery\fontdrvhost.exe, PE32 40->69 dropped 71 C:\Recovery\HxTsr.exe, PE32 40->71 dropped 73 4 other malicious files 40->73 dropped 93 Antivirus detection for dropped file 40->93 95 Machine Learning detection for dropped file 40->95 97 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 40->97 99 Hides that the sample has been downloaded from the Internet (zone.identifier) 40->99 46 HxTsr.exe 40->46         started        49 schtasks.exe 1 40->49         started        51 schtasks.exe 1 40->51         started        53 5 other processes 40->53 signatures16 process17 signatures18 113 Antivirus detection for dropped file 46->113 115 Machine Learning detection for dropped file 46->115 117 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 46->117 55 conhost.exe 49->55         started        57 conhost.exe 51->57         started        59 conhost.exe 53->59         started        61 conhost.exe 53->61         started        63 conhost.exe 53->63         started        65 conhost.exe 53->65         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2fd1a2e50342526d203ffdcbf53914350647d8b963c044d55d9061fc7b92923a/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-03-01 14:47:06 UTC
File Type:
PE (Exe)
Extracted files:
38
AV detection:
22 of 48 (45.83%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
09861033c2109fa6827b4ff30052d087e28b81a53bd0b4d235c68128a8a451f5
DCRat
148feabec33f94aece0555b58ff452996a62c1b1437b1a01aebef8541c80e3b6
DCRat
3f1d6522a3dc9c69310b7c960788de537186c1256dae425eac2cf07c66dd3ab8
DCRat
4231d303577111382f2c3a44d1b4077b11dfe8125d851a5bda6ceebef5a0d5a4
DCRat
50444a618ccea3cc6b93088378260b2fab89b5b92d4b06f27fc2e8a58b950c79
DCRat
7125ff46ae7468216b1764b9e22b5811d4890f33a237776c6cbf22c8d8f09bbc
DCRat
95c7436558a5834379102b569f796d288fa04d8cbc52d7719709caec3cc7da09
DCRat
99d43aa9fa06949203732d4bd282d517ca24216d78a37ac04e8566dad1add025
DCRat
a8820beaeefff48ca74cc149e99807845bbbb9d5a3b02ce625ba778ba129afe9
DCRat
f5c3eeb8f2ea96aa8b70d7819ffef017bc30b76b58bc7e85ec796e8e8bb789b2
DCRat
+ 424 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware
Link:
https://tria.ge/reports/210301-8c3ewgnfp6/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
a094c6ac02332eecd98ac8b9c204123575cc64792a605ebadf034e85a344bfc5
MD5 hash:
3eefa0dd6b3002e18ddcc0d947e3fb4e
SHA1 hash:
b87207016259569872ce7ddfa076951e51430fec
Link:
https://www.unpac.me/results/5af67d7d-8a05-4483-81e5-f19b69f526df/
SH256 hash:
2fd1a2e50342526d203ffdcbf53914350647d8b963c044d55d9061fc7b92923a
MD5 hash:
53412ae0fc2d28c7c10622e88ab578bd
SHA1 hash:
15bd9167ee126508e00af1727d290d7e5dd2fcde
Link:
https://www.unpac.me/results/5af67d7d-8a05-4483-81e5-f19b69f526df/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/2fd1a2e50342526d203ffdcbf53914350647d8b963c044d55d9061fc7b92923a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://www.virustotal.com/gui/file/2fd1a2e50342526d203ffdcbf53914350647d8b963c044d55d9061fc7b92923a/details
  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/120329/

Comments