MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 34ad01f150a3ad26c6a583885be072d1df361a2032be73649a883d0b57015711. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DCRat

Vendor detections: 11

Intelligence 11 IOCs 1 YARA File information Comments

SHA256 hash:	34ad01f150a3ad26c6a583885be072d1df361a2032be73649a883d0b57015711
SHA3-384 hash:	42a6c372a603eb004bec04cab1b4d9a76e016e16f87b4356811ae6fc39c7cd46b47fed26192a8dd9d5d1bb5beef405fd
SHA1 hash:	f49c56efd20a816c2c75907ab8c8a6c7b0cf8633
MD5 hash:	a6875b7c63549e1dd2798c72e8fb6c26
humanhash:	bakerloo-kentucky-fix-don
File name:	a6875b7c63549e1dd2798c72e8fb6c26.exe
Download:	download sample
Signature	DCRat Create hunting rule
File size:	1'313'524 bytes
First seen:	2022-01-31 01:00:47 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep	24576:U2G/nvxW3Ww0tRjINIF0bQxYAS8gzrIkqPhRQCnxSOBWMNg:UbA309Io0bXrJdCxqMS
TLSH	T1A7555B027A84CA21D06A1637C5EF451447BCFD413A22EB1B7EAE3B6D25213A71D4E6CF
File icon (PE):
dhash icon	9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter	abuse_ch
Tags:	DCRat exe

abuse_ch

DCRat C2:
http://portfolioksk.xyz/protecttraffic.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://portfolioksk.xyz/protecttraffic.php	https://threatfox.abuse.ch/ioc/370934/

Intelligence

File Origin

# of uploads :

# of downloads :

209

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

a6875b7c63549e1dd2798c72e8fb6c26.exe

Verdict:

Malicious activity

Analysis date:

2022-01-31 01:17:16 UTC

Tags:

trojan rat backdoor dcrat phishing stealer

Link:

https://app.any.run/tasks/d492884e-9597-4506-9483-6bbfb4f9f8b9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/228206/

Detection(s):

Win.Trojan.Uztuby-9855059-0

Win.Ransomware.Clinix-9868408-0

Win.Packed.Uztuby-9937390-0

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file

Creating a process from a recently created file

DNS request

Running batch commands

Creating a process with a hidden window

Creating a file in the system32 subdirectories

Using the Windows Management Instrumentation requests

Launching a process

Creating a file in the Program Files subdirectories

Creating a file in the %temp% directory

Sending a UDP request

Sending an HTTP GET request

Reading critical registry keys

Unauthorized injection to a recently created process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Enabling autorun by creating a file

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/5542/overview

Behaviour

MalwareBazaar

MeasuringTime

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware overlay packed packed replace.exe setupapi.dll shdocvw.dll shell32.dll update.exe

Link:

https://www.filescan.io/uploads/61f734d0d7fd65ae55f96854/reports/6647c25b-0d23-4f99-9d17-399974f8eb08/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/90343bf6-0455-483f-8905-bbef65053fe2

Result

Threat name:

DCRat

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/930606

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/34ad01f150a3ad26c6a583885be072d1df361a2032be73649a883d0b57015711/

Threat name:

ByteCode-MSIL.Trojan.ZmutzyLscpt

Status:

Malicious

First seen:

2022-01-28 13:34:21 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 28 (85.71%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=gswqd4kquowsnrvfqoefxyds2hptmgragk7hgze2ra6qwvybk4iq._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

10/10

Tags:

persistence spyware stealer suricata

Link:

https://tria.ge/reports/220131-bc8raschgq/

Behaviour

Creates scheduled task(s)

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Drops file in Windows directory

Drops file in System32 directory

Adds Run key to start application

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Process spawned unexpected child process

suricata: ET MALWARE DCRAT Activity (GET)

Unpacked files

SH256 hash:

79a2043ef721b38bd67d06e3936f236e4a6882a15416f0e10b697c9a8ed648aa

MD5 hash:

f57773df5a655d18f5eb20faeb6e5058

SHA1 hash:

1e375ed80feef44f0db38d4e0de1b4f40237b30a

Link:

https://www.unpac.me/results/7d98fe0a-6742-4eca-b3ac-5b5d930c782b/

SH256 hash:

cfbff3d06f7350f941f93bb5e23068cf094b26b77ae09f0d3bba8c6b1cd45a45

MD5 hash:

4b3d6fb9d6963815647afbf5747352b2

SHA1 hash:

1de4d420dd704b452b3b5b338195d3c41f512ae2

Link:

https://www.unpac.me/results/7d98fe0a-6742-4eca-b3ac-5b5d930c782b/

SH256 hash:

34ad01f150a3ad26c6a583885be072d1df361a2032be73649a883d0b57015711

MD5 hash:

a6875b7c63549e1dd2798c72e8fb6c26

SHA1 hash:

f49c56efd20a816c2c75907ab8c8a6c7b0cf8633

Link:

https://www.unpac.me/results/7d98fe0a-6742-4eca-b3ac-5b5d930c782b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/34ad01f150a3ad26c6a583885be072d1df361a2032be73649a883d0b57015711

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/228206/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample