MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3172184f6108ac6e72bf0b421d2bcf01104f88afebdadf6ebfb3e81e53663bda. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3172184f6108ac6e72bf0b421d2bcf01104f88afebdadf6ebfb3e81e53663bda
SHA3-384 hash: 55f837d1b3edf4600af4b1f0a5db9074f8c7a0bed19614c7d48396adacec18dd433b93e5275a40c77967b840ed42fca6
SHA1 hash: 6f715d8f4d238927594a526b0d8aa258cd12e2f3
MD5 hash: 2ed2035be4d1c5bebcb1b2980c0f3778
humanhash: salami-london-wisconsin-cup
File name:2ed2035be4d1c5bebcb1b2980c0f3778.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:3'611'136 bytes
First seen:2024-02-03 18:25:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 98304:POgb6DIWcZuvn7jGp4481HUrySdFgQ3N5j:PO86DIFZq7qpJ81HZEgQNh
Threatray 301 similar samples on MalwareBazaar
TLSH T1C4F5F10661D65E33C2A4673182AB013E4294CB617615FB5B7A0F24D2AC077F98BB37B7
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://076902cm.nyashtech.top/Lowuniversal.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
332
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
3172184f6108ac6e72bf0b421d2bcf01104f88afebdadf6ebfb3e81e53663bda.exe
Verdict:
Malicious activity
Analysis date:
2024-02-03 18:28:27 UTC
Tags:
dcrat rat
Link:
https://app.any.run/tasks/001aa803-dac8-493a-b5ea-f8bbb2e01f3a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/474403/
Detection(s):
Win.Packed.Uztuby-10009381-0
Create hunting rule

Win.Packed.Uztuby-10015486-0
Create hunting rule

Win.Packed.Uztuby-10015902-0
Create hunting rule

Win.Packed.Uztuby-10017372-0
Create hunting rule

Win.Packed.Uztuby-10017373-0
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65be853e2dd4529ad253c677/reports/83b9487d-3ae2-4e24-ada6-9de77066ce68/overview
Verdict:
Malicious
Labled as:
Trojan.MSIL.Basic.8
Link:
https://www.hybrid-analysis.com/sample/3172184f6108ac6e72bf0b421d2bcf01104f88afebdadf6ebfb3e81e53663bda
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/b68445e4-c648-40dd-8db9-406c0e137469
Result
Threat name:
DCRat, PureLog Stealer, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1386164
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1386164 Sample: R6pRmbGR5A.exe Startdate: 03/02/2024 Architecture: WINDOWS Score: 100 41 076902cm.nyashtech.top 2->41 51 Snort IDS alert for network traffic 2->51 53 Multi AV Scanner detection for domain / URL 2->53 55 Antivirus detection for URL or domain 2->55 57 10 other signatures 2->57 8 R6pRmbGR5A.exe 4 41 2->8         started        signatures3 process4 file5 25 C:\Windows\...\MkFERHslxpjxHBsyllKagWQcZ.exe, PE32 8->25 dropped 27 C:\Windows\...\MkFERHslxpjxHBsyllKagWQcZ.exe, PE32 8->27 dropped 29 C:\Users\user\Desktop\zdiwHFHJ.log, PE32 8->29 dropped 31 23 other malicious files 8->31 dropped 11 cmd.exe 1 8->11         started        process6 signatures7 59 Uses ping.exe to sleep 11->59 61 Drops executables to the windows directory (C:\Windows) and starts them 11->61 63 Uses ping.exe to check the status of other devices and networks 11->63 14 MkFERHslxpjxHBsyllKagWQcZ.exe 14 23 11->14         started        19 conhost.exe 11->19         started        21 PING.EXE 1 11->21         started        23 chcp.com 1 11->23         started        process8 dnsIp9 43 076902cm.nyashtech.top 172.67.178.175, 49734, 49735, 49736 CLOUDFLARENETUS United States 14->43 45 104.21.31.169, 49968, 49994, 50046 CLOUDFLARENETUS United States 14->45 33 C:\Users\user\Desktop\wRQfBqQc.log, PE32 14->33 dropped 35 C:\Users\user\Desktop\sjJGYcqo.log, PE32 14->35 dropped 37 C:\Users\user\Desktop\oljxmxPp.log, PE32 14->37 dropped 39 18 other malicious files 14->39 dropped 47 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->47 49 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 14->49 file10 signatures11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3172184f6108ac6e72bf0b421d2bcf01104f88afebdadf6ebfb3e81e53663bda
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3172184f6108ac6e72bf0b421d2bcf01104f88afebdadf6ebfb3e81e53663bda/
Threat name:
ByteCode-MSIL.Trojan.DCRat
Create hunting rule
Status:
Malicious
First seen:
2024-01-28 15:01:32 UTC
File Type:
PE (.Net Exe)
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gfzbqt3bbcwg44v7bnbb2k6paeie7cfp5pnn63v7wpub4u3ghpna._file
Verdict:
malicious
Similar samples:
40faf695c36c68e2cb0e605c72a8b2fdc0a5ea561b01fb74d4e66d0c98707c0a
DCRat
41971da9cb866aa19e6d70d62287f622bb79d9cbbee1a8a29c44ecc3b066afc6
DCRat
50d3139540de39192258ecca5c0320ffb78580edb8b4d986d5514daad1f2d3dd
DCRat
96cd2c662aac016badbfbf78754711578725ca5f206b5a6a37da1aa20521fea2
DCRat
977ed2603aee0d2c7221ad597a19f7dc0e62ec2c76ffa6f1cb5fddac8191dee7
DCRat
97c8904e0e2da52a0021dabc7d281eab4341a36e6dd94b7d98a4c1c3eee4ba1e
DCRat
a9d10fb2c8e906e66c0e11c8d2d66df28efcc62920dbcd341404933da7928c2e
DCRat
d5090fe98db8baf1f62c6a8d85499883ff121afd909d6f7861c76529bd8c86c4
DCRat
+ 291 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat rat
Link:
https://tria.ge/reports/240203-w269zshhgr/
Behaviour
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Checks computer location settings
Executes dropped EXE
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
3172184f6108ac6e72bf0b421d2bcf01104f88afebdadf6ebfb3e81e53663bda
MD5 hash:
2ed2035be4d1c5bebcb1b2980c0f3778
SHA1 hash:
6f715d8f4d238927594a526b0d8aa258cd12e2f3
Detections:
INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Link:
https://www.unpac.me/results/e009ba30-2cca-44f9-9827-5a605e3f7a2a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3172184f6108ac6e72bf0b421d2bcf01104f88afebdadf6ebfb3e81e53663bda

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with unregistered version of .NET Reactor
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/474403/

Comments