MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43f70516f8474945837667dfb53901e87635dcb48b5ffd4bb24697cdf303409b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43f70516f8474945837667dfb53901e87635dcb48b5ffd4bb24697cdf303409b
SHA3-384 hash: abeaa25e0fc53c3768f0aa77a610db8c11a995d3242927c2988f337660ce4ec9cf94a17072be78dcdb1734cfb495c9e7
SHA1 hash: 0bd2f388bd446be597281157544a658dde8eef9e
MD5 hash: 51567e8f0e1c8b63157977b1d68eb359
humanhash: berlin-cola-floor-maryland
File name:43F70516F8474945837667DFB53901E87635DCB48B5FF.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'280'663 bytes
First seen:2021-12-26 19:06:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:h2G/nvxW3WpkLYBAVa9jIUCg9Lf/Rm77tN02xVD0w+4v:hbA3XIRZfs/HgTW
Threatray 1'221 similar samples on MalwareBazaar
TLSH T147555A017A86C912D2291A3BC9EF815443BCED412A62DB1B7EAF335D65A13B31E0D5CF
File icon (PE):PE icon
dhash icon bade96b08c8caada (1 x DCRat)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://5.196.148.148/triplesix/gods/authTrafficTemporary.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://5.196.148.148/triplesix/gods/authTrafficTemporary.php https://threatfox.abuse.ch/ioc/287857/

Intelligence

File Origin
# of uploads :
1
# of downloads :
312
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
43F70516F8474945837667DFB53901E87635DCB48B5FF.exe
Verdict:
Malicious activity
Analysis date:
2021-12-26 19:09:23 UTC
Tags:
trojan rat backdoor dcrat stealer
Link:
https://app.any.run/tasks/f6b3233f-9a37-4a45-9093-1a92ea12d1a8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/216460/
Detection(s):
Win.Malware.Uztuby-9848412-0
Create hunting rule

Win.Packed.Uztuby-9851623-0
Create hunting rule

Win.Trojan.Uztuby-9855059-0
Create hunting rule

Win.Ransomware.Clinix-9868408-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
DNS request
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Launching a process
Creating a file in the system32 subdirectories
Creating a file in the %temp% directory
Sending a UDP request
Sending a custom TCP request
Sending an HTTP GET request
Enabling the 'hidden' option for recently created files
Reading critical registry keys
Deleting a recently created file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Stealing user critical data
Enabling autorun by creating a file
Enabling threat expansion on mass storage devices
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3290/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
clipbanker greyware overlay packed packed
Link:
https://www.filescan.io/uploads/61c8bd598991ba72b3999c5c/reports/eaefddcc-0ab8-4395-b8e1-3f70dcd95259/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e84247bc-f59f-437e-9ae9-d4e9265e3098
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/912976
Signature
Antivirus detection for dropped file
Creates an autostart registry key pointing to binary in C:\Windows
Creates files inside the volume driver (system volume information)
Creates multiple autostart registry keys
Creates processes via WMI
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 545454 Sample: 43F70516F8474945837667DFB53... Startdate: 26/12/2021 Architecture: WINDOWS Score: 100 49 Antivirus detection for dropped file 2->49 51 Multi AV Scanner detection for dropped file 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 3 other signatures 2->55 10 43F70516F8474945837667DFB53901E87635DCB48B5FF.exe 3 6 2->10         started        13 smartscreen.exe 3 2->13         started        16 winlogon.exe 3 2->16         started        18 13 other processes 2->18 process3 file4 47 C:\Winruntime\WinruntimeIntobroker.exe, PE32 10->47 dropped 20 wscript.exe 1 10->20         started        65 Antivirus detection for dropped file 13->65 67 Multi AV Scanner detection for dropped file 13->67 signatures5 process6 process7 22 cmd.exe 1 20->22         started        process8 24 WinruntimeIntobroker.exe 10 23 22->24         started        28 conhost.exe 22->28         started        file9 39 C:\Windows\System32\...\RuntimeBroker.exe, PE32 24->39 dropped 41 C:\Windows\System32\KBDYCC\smartscreen.exe, PE32 24->41 dropped 43 C:\Windows\System32\...\winlogon.exe, PE32 24->43 dropped 45 4 other malicious files 24->45 dropped 57 Antivirus detection for dropped file 24->57 59 Creates files inside the volume driver (system volume information) 24->59 61 Creates multiple autostart registry keys 24->61 63 4 other signatures 24->63 30 cmd.exe 24->30         started        signatures10 process11 signatures12 69 Drops executables to the windows directory (C:\Windows) and starts them 30->69 33 conhost.exe 30->33         started        35 w32tm.exe 30->35         started        37 winlogon.exe 30->37         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/43f70516f8474945837667dfb53901e87635dcb48b5ffd4bb24697cdf303409b/
Threat name:
ByteCode-MSIL.Trojan.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2021-11-26 12:51:42 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
25 of 43 (58.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ip3qkfxyi5eula3wm7p3koib5b3dlxfurnp72s5si2l434ydicnq._file
Verdict:
malicious
Similar samples:
0b976213f5961eb9720219d2624463ec6acc8947004710c7e9885746e2e27234
DCRat
0eaeecd54b382b008e10fb2d18f5689fa047e2f5bd22d90ab8c495c49d20fd87
DCRat
45790bd0bb5eef4380c93de089dd9bf9b137a70bdc2f78e976919b6dd4b6bb2b
DCRat
5487f2263ad9238d80e7db399d980f1bb66c1c5b43d5595165e097ee385ddb53
DCRat
65dee75f5d4f0d7e0c1065a689ebe79f67c87a4d3d9654193164128e859a0ddd
DCRat
99b234ed5fcab5f1e2ebbc0a26fd5e94a3efa69fadb275065592ea7cba636e16
DCRat
b1712ed2922c7af304903adfc55fc79a8a097f06b2fb98072ebfb3b44fbd3ad1
DCRat
f98183a2ad674f8aae6ad47e7da8b48c80175148ba333f0f57b3e6eca64bfaa6
DCRat
ff1cf221e44187ccf5382ba91b26991722b97d2dd0ef25ae0b5fda12425a4a93
DCRat
+ 1'211 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence spyware stealer suricata
Link:
https://tria.ge/reports/211226-xsm1esadaj/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in System32 directory
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Process spawned unexpected child process
suricata: ET MALWARE DCRAT Activity (GET)
Unpacked files
SH256 hash:
4ebd803c4d624bf73e81d59d036ccc338d164553c7ad8173fd6d5d63260dac1e
MD5 hash:
6f25b25b72355a51300380ffafd4d523
SHA1 hash:
bd55c7777e94aa9f5a61cf06e9556adc8e14376e
Link:
https://www.unpac.me/results/9ad02df4-cfca-44ca-a5e4-a5e158caee3e/
Parent samples :
54de552295e919218a7d43a1d0114bae169a79a1963113d615fd8bce428b385d
2774262a54ea6008d5b508f4d95eb811bd5d7dc50e1c0659d016ab33d966e729
SH256 hash:
58e9e3226bc7387b4f9200017845a906d6b57ccdf3d0275dbddda61a8d59ca58
MD5 hash:
1e246144b4532c5d9d1716beaf376589
SHA1 hash:
bcb2470552e31a7540ae04fb4d1a76f033e1cf93
Link:
https://www.unpac.me/results/9ad02df4-cfca-44ca-a5e4-a5e158caee3e/
SH256 hash:
cbc7f703eda1b8b0a0657d8e4313eead18f58c988de7b9aef237190bb85242cc
MD5 hash:
0b4b5022d6bc41fa640d9531c585a6ea
SHA1 hash:
f17c16f02b17a30ec2c170e3aabf5a02b9e6dc1f
Link:
https://www.unpac.me/results/9ad02df4-cfca-44ca-a5e4-a5e158caee3e/
SH256 hash:
43f70516f8474945837667dfb53901e87635dcb48b5ffd4bb24697cdf303409b
MD5 hash:
51567e8f0e1c8b63157977b1d68eb359
SHA1 hash:
0bd2f388bd446be597281157544a658dde8eef9e
Link:
https://www.unpac.me/results/9ad02df4-cfca-44ca-a5e4-a5e158caee3e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/43f70516f847/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/43f70516f8474945837667dfb53901e87635dcb48b5ffd4bb24697cdf303409b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/216460/

Comments