MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 326975832674627265c01a626a19ae8ff0a30fd7b7db9e17c098329730286f88. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 14


Intelligence 14 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 326975832674627265c01a626a19ae8ff0a30fd7b7db9e17c098329730286f88
SHA3-384 hash: b4f4918ef22ae375d8652159176723a6fa50c5e350551520d53bcb48f5a9b42453bc65f99bfaa554c57359e598d33d9b
SHA1 hash: 47f7fdbee2c963e63b52cac18bc5b9bed9b7c10c
MD5 hash: 2059b153136de16e58e27a8549dac1b5
humanhash: violet-mobile-jupiter-alanine
File name:2059b153136de16e58e27a8549dac1b5.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'164'401 bytes
First seen:2024-02-14 09:40:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 12288:URZ+IoG/n9IQxW3OBseUUT+tcYbDEq7n2lBvR0dWfExtTWmOfcziDi+CUF9q:u2G/nvxW3WieCDHWBvNCtbskUF9q
Threatray 270 similar samples on MalwareBazaar
TLSH T1CE455A017E44CA21F0191633C2EF460847B4AC112BA6E72B7EBE376E55523A77D1DACB
TrID 76.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
16.5% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
3.0% (.EXE) Win64 Executable (generic) (10523/12/4)
1.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.2% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://a0919021.xsph.ru/L1nc0In.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
315
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
DCRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/476105/
Detection(s):
SecuriteInfo.com.VBS.Encrypted.Gen.UNOFFICIAL
Create hunting rule

Win.Trojan.Uztuby-9855059-0
Create hunting rule

Win.Ransomware.Clinix-9868408-0
Create hunting rule

Win.Packed.Msilmamut-9950860-0
Create hunting rule

Win.Packed.Basic-9952747-0
Create hunting rule

Win.Packed.Uztuby-9963900-0
Create hunting rule

Win.Packed.Uztuby-9969968-0
Create hunting rule

Win.Malware.Uztuby-9972880-0
Create hunting rule

Win.Trojan.DarkKomet-9976180-0
Create hunting rule

Win.Trojan.Uztuby-10010740-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Launching a process
Creating a file in the %temp% directory
Sending a UDP request
DNS request
Connecting to a non-recommended domain
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm cmd cscript dcrat explorer fingerprint installer lolbin overlay packed schtasks setupapi sfx shdocvw shell32
Link:
https://www.filescan.io/uploads/65cc8ab1ac375bec15e6d3c8/reports/bee0a423-e846-4a7b-960e-21e3001774e4/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/326975832674627265c01a626a19ae8ff0a30fd7b7db9e17c098329730286f88
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ace9ea1e-7088-4c07-b233-d65b4825ae7c
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1392034
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Schedule system process
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1392034 Sample: IfDpIxmlj1.exe Startdate: 14/02/2024 Architecture: WINDOWS Score: 100 49 Found malware configuration 2->49 51 Antivirus detection for dropped file 2->51 53 Antivirus / Scanner detection for submitted sample 2->53 55 11 other signatures 2->55 9 IfDpIxmlj1.exe 3 6 2->9         started        12 jalVgnmVAQBOSZkMZHY.exe 3 2->12         started        14 jalVgnmVAQBOSZkMZHY.exe 2 2->14         started        process3 file4 43 C:\...\runtimesvc.exe, PE32 9->43 dropped 45 C:\...\nNwgCkzp4Tu.vbe, data 9->45 dropped 16 wscript.exe 1 9->16         started        process5 signatures6 47 Windows Scripting host queries suspicious COM object (likely to drop second stage) 16->47 19 cmd.exe 1 16->19         started        process7 process8 21 runtimesvc.exe 3 28 19->21         started        25 conhost.exe 19->25         started        file9 35 C:\...\jalVgnmVAQBOSZkMZHY.exe, PE32 21->35 dropped 37 C:\...\WinStore.App.exe, PE32 21->37 dropped 39 C:\Windows\...\jalVgnmVAQBOSZkMZHY.exe, PE32 21->39 dropped 41 9 other malicious files 21->41 dropped 57 Antivirus detection for dropped file 21->57 59 Multi AV Scanner detection for dropped file 21->59 61 Machine Learning detection for dropped file 21->61 63 2 other signatures 21->63 27 schtasks.exe 21->27         started        29 schtasks.exe 21->29         started        31 schtasks.exe 21->31         started        33 31 other processes 21->33 signatures10 process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/326975832674627265c01a626a19ae8ff0a30fd7b7db9e17c098329730286f88
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/326975832674627265c01a626a19ae8ff0a30fd7b7db9e17c098329730286f88/
Threat name:
ByteCode-MSIL.Backdoor.DCRat
Create hunting rule
Status:
Malicious
First seen:
2024-02-11 06:22:31 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gjuxlazgorrhezoadjrgugnor7ykgd6xw7nz4f6atazjombin6ea._file
Verdict:
malicious
Similar samples:
2882b29fc8c4bc157b8416a4a621084557639de0dd7a86dcf0dda2e35b900517
DCRat
3dd0a5685e10ef6d63758cafee7c651f8ae80a47664158976ace7b80c825a032
DCRat
3e55b54015ebcc09dce584c6963caaa487f62492f015f7daa4c645bcb7bb1bcd
DCRat
7fed6406da8c6fac0504f899f2d88cf18c82b40d10d28e0651d851aa8113a13b
DCRat
db27a1103437042989486896fb714fd8cd59a856a7db453bbcc2162794b3fde6
DCRat
+ 260 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer rat
Link:
https://tria.ge/reports/240214-lnrx2agb57/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
DCRat payload
DcRat
Process spawned unexpected child process
Unpacked files
SH256 hash:
17431781b4d634c1a6f0e6265fdafcdf9eb122ad54f39a35a65ad0aca9a90767
MD5 hash:
ed66730e6ae871c628540ae1d707ffa4
SHA1 hash:
724a5d4a86e5af83df6c309fa4a5908a115f149d
Link:
https://www.unpac.me/results/64be4ef0-b91b-48a7-be82-07b80162254a/
SH256 hash:
326975832674627265c01a626a19ae8ff0a30fd7b7db9e17c098329730286f88
MD5 hash:
2059b153136de16e58e27a8549dac1b5
SHA1 hash:
47f7fdbee2c963e63b52cac18bc5b9bed9b7c10c
Detections:
win_xorist_auto
Create hunting rule
Link:
https://www.unpac.me/results/64be4ef0-b91b-48a7-be82-07b80162254a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/326975832674627265c01a626a19ae8ff0a30fd7b7db9e17c098329730286f88

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:win_xorist_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.xorist.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/476105/

Comments