MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 45790bd0bb5eef4380c93de089dd9bf9b137a70bdc2f78e976919b6dd4b6bb2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 45790bd0bb5eef4380c93de089dd9bf9b137a70bdc2f78e976919b6dd4b6bb2b
SHA3-384 hash: c84a8d92f66106a74974a9613ef8bb5fd1e07a3a0457af6ab645323404f925860e8a939e9583e057316b86433fe48c8e
SHA1 hash: 9fd3f0658a7c285d6bdcd6f5b25d3995045a5b88
MD5 hash: f67e9c9915e81bd08ebb0e2b57909677
humanhash: pennsylvania-ohio-fix-twenty
File name:f67e9c9915e81bd08ebb0e2b57909677.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'226'402 bytes
First seen:2021-10-21 18:08:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:B2G/nvxW3W0nme0wCtsOkpS8BUvLlR5RevPxsJT2xdHM+4b:BbA3Huw/H08qRqvJsJTkH+
Threatray 880 similar samples on MalwareBazaar
TLSH T1A5454A127A85DD12D269163BC5EF4A5447BCBD006A62CB1B7EBE335D29213A34E0E1CF
File icon (PE):PE icon
dhash icon 64d2bce8cac2b4c0 (1 x DCRat)
Reporter abuse_ch
Tags:DCRat exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
210
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/199167/
Detection(s):
Win.Malware.Uztuby-9848412-0
Create hunting rule

Win.Packed.Uztuby-9851623-0
Create hunting rule

Win.Trojan.Uztuby-9855059-0
Create hunting rule

Win.Ransomware.Clinix-9868408-0
Create hunting rule

Win.Packed.Uztuby-9875336-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
greyware makop overlay packed packed
Link:
https://www.filescan.io/uploads/6171acbf9a5a1e91c5cc1b3b/reports/ed3a1ae9-6acd-4e15-a6bc-1d1199080b62/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eaba3fc5-41ae-461e-9821-b0a933885bf7
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/874794
Signature
Creates multiple autostart registry keys
Creates processes via WMI
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: WScript or CScript Dropper
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 507225 Sample: tLBAz6v5Qr.exe Startdate: 21/10/2021 Architecture: WINDOWS Score: 84 53 Found malware configuration 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 Yara detected DCRat 2->57 59 Sigma detected: WScript or CScript Dropper 2->59 10 tLBAz6v5Qr.exe 3 10 2->10         started        13 ctfmon.exe 3 2->13         started        16 smartscreen.exe 2->16         started        18 5 other processes 2->18 process3 dnsIp4 47 C:\Users\...\WinsessionBrokernetIntohost.exe, PE32 10->47 dropped 49 C:\Users\user\AppData\...\ufqa67DL2gtzgC.vbe, data 10->49 dropped 21 wscript.exe 1 10->21         started        67 Multi AV Scanner detection for dropped file 13->67 51 185.146.157.136, 80 THEFIRST-ASRU Russian Federation 18->51 file5 signatures6 process7 process8 23 cmd.exe 1 21->23         started        process9 25 WinsessionBrokernetIntohost.exe 8 18 23->25         started        29 conhost.exe 23->29         started        file10 39 C:\Users\...\WinsessionBrokernetIntohost.exe, PE32 25->39 dropped 41 C:\Users\Default\AppData\Local\...\ctfmon.exe, PE32 25->41 dropped 43 C:\Recovery\smartscreen.exe, PE32 25->43 dropped 45 2 other malicious files 25->45 dropped 61 Multi AV Scanner detection for dropped file 25->61 63 Creates multiple autostart registry keys 25->63 65 Creates processes via WMI 25->65 31 cmd.exe 1 25->31         started        signatures11 process12 process13 33 WinsessionBrokernetIntohost.exe 2 31->33         started        35 w32tm.exe 1 31->35         started        37 conhost.exe 31->37         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/45790bd0bb5eef4380c93de089dd9bf9b137a70bdc2f78e976919b6dd4b6bb2b/
Threat name:
ByteCode-MSIL.Trojan.Stelega
Create hunting rule
Status:
Malicious
First seen:
2021-10-16 03:14:26 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=iv4qxuf3l3xuhagjhxqitxm37gytpjyl3qxxr2lwsgnw3vfwxmvq._file
Verdict:
malicious
Similar samples:
0b976213f5961eb9720219d2624463ec6acc8947004710c7e9885746e2e27234
DCRat
2443613407a5446d2903068af37ad22a559393bf78673c3ce42a64dd7605b5dd
DCRat
2e7c0e72ebe65df6ed44631550c14d1dfce5c0a540ed450df984802890b25c53
DCRat
4cced7c39444bc55a0cd79b0384b24517e355e0d70ab20019af96f2a7c181cd8
DCRat
51b8434c68594113a4036358e477fe1ae1b4cc0b99d653b224250e24537d87e2
DCRat
65dee75f5d4f0d7e0c1065a689ebe79f67c87a4d3d9654193164128e859a0ddd
DCRat
95155b1eb26b2f4d548de9b64239aa4339c191a56b9f1e61697351dced1c9bc7
DCRat
99b234ed5fcab5f1e2ebbc0a26fd5e94a3efa69fadb275065592ea7cba636e16
DCRat
f98183a2ad674f8aae6ad47e7da8b48c80175148ba333f0f57b3e6eca64bfaa6
DCRat
+ 870 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/211021-wrfz2safa7/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Process spawned unexpected child process
Unpacked files
SH256 hash:
bd10ea4eeb2a7f1e9b3157ce51752336fe3d6dc56fb49bdc736bbe0ea34f5936
MD5 hash:
3c0e66c07059d17b9dec156ae1f99fcf
SHA1 hash:
a9cf63368c43a839590f55a4896d503909d4ea76
Link:
https://www.unpac.me/results/783665b0-ee1c-4283-9efe-e60eaf3150ff/
SH256 hash:
45790bd0bb5eef4380c93de089dd9bf9b137a70bdc2f78e976919b6dd4b6bb2b
MD5 hash:
f67e9c9915e81bd08ebb0e2b57909677
SHA1 hash:
9fd3f0658a7c285d6bdcd6f5b25d3995045a5b88
Link:
https://www.unpac.me/results/783665b0-ee1c-4283-9efe-e60eaf3150ff/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/45790bd0bb5eef4380c93de089dd9bf9b137a70bdc2f78e976919b6dd4b6bb2b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/199167/

Comments