MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 45814a3672b929cfc2f2851ce771869b0ea7ff587d1c0d349bfa92f8a11d9ed5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 45814a3672b929cfc2f2851ce771869b0ea7ff587d1c0d349bfa92f8a11d9ed5
SHA3-384 hash: 7224294668b25c185550b568722059af2ff2defa8677d2fcdb155778df3392c6e1c23bdb7e020c36e624862c685fbabd
SHA1 hash: 736286f32e6800bd9470427454a75904e944501b
MD5 hash: c0347c367d8fcde8d40ab0bb3d5a707b
humanhash: muppet-carpet-green-yankee
File name:45814A3672B929CFC2F2851CE771869B0EA7FF587D1C0.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'212'053 bytes
First seen:2022-03-13 00:05:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (865 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:U2G/nvxW3Ww0tA9Nqc8k/5uw2TCRENzFx:UbA30+NXT2T6ENT
Threatray 2'687 similar samples on MalwareBazaar
TLSH T1BD4539077A84CE11D8A91A37CDFF442543BCAD452A22DB1A7E9E375C66213A35E0D2CF
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://94.250.254.43/cpuUpdateprotectflowercdn.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://94.250.254.43/cpuUpdateprotectflowercdn.php https://threatfox.abuse.ch/ioc/394576/

Intelligence

File Origin
# of uploads :
1
# of downloads :
255
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
45814a3672b929cfc2f2851ce771869b0ea7ff587d1c0d349bfa92f8a11d9ed5.zip
Verdict:
Malicious activity
Analysis date:
2022-03-13 01:39:57 UTC
Tags:
trojan rat backdoor dcrat
Link:
https://app.any.run/tasks/f9fbfba2-7d69-429c-a3a9-a44120cf3622

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/249857/
Detection(s):
Win.Trojan.Uztuby-9855059-0
Create hunting rule

Win.Ransomware.Clinix-9868408-0
Create hunting rule

Win.Packed.Uztuby-9937390-0
Create hunting rule

Win.Packed.Msilzilla-9939065-0
Create hunting rule

Win.Packed.Uztuby-9940068-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Launching a process
Creating a file in the Windows subdirectories
Creating a file in the %temp% directory
Sending a UDP request
Sending an HTTP GET request
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/9016/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware overlay packed packed replace.exe setupapi.dll shdocvw.dll shell32.dll update.exe
Link:
https://www.filescan.io/uploads/622d35730cd58dbd928a0017/reports/653500c9-e195-4201-8687-fec074d3880c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bf80097c-5da8-467f-bab8-1efadd8010c5
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/955520
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an autostart registry key pointing to binary in C:\Windows
Creates multiple autostart registry keys
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: File Created with System Process Name
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 588001 Sample: 45814A3672B929CFC2F2851CE77... Startdate: 13/03/2022 Architecture: WINDOWS Score: 100 42 Found malware configuration 2->42 44 Antivirus detection for dropped file 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 8 other signatures 2->48 9 45814A3672B929CFC2F2851CE771869B0EA7FF587D1C0.exe 3 6 2->9         started        12 conhost.exe 3 2->12         started        15 TDaiakEaKMSOe.exe 2 2->15         started        17 6 other processes 2->17 process3 file4 38 C:\...\WinrefcrtcommonIntoBroker.exe, PE32 9->38 dropped 40 C:\Winrefcrtcommon\acLdNSU.vbe, data 9->40 dropped 19 wscript.exe 1 9->19         started        58 Antivirus detection for dropped file 12->58 60 Multi AV Scanner detection for dropped file 12->60 62 Machine Learning detection for dropped file 12->62 signatures5 process6 process7 21 cmd.exe 1 19->21         started        process8 23 WinrefcrtcommonIntoBroker.exe 4 12 21->23         started        27 conhost.exe 21->27         started        file9 32 C:\Windows\...\ShellExperienceHost.exe, PE32 23->32 dropped 34 C:\Windows\System32\...\conhost.exe, PE32 23->34 dropped 36 C:\Users\user\Contacts\TDaiakEaKMSOe.exe, PE32 23->36 dropped 50 Antivirus detection for dropped file 23->50 52 Multi AV Scanner detection for dropped file 23->52 54 Machine Learning detection for dropped file 23->54 56 3 other signatures 23->56 29 TDaiakEaKMSOe.exe 3 23->29         started        signatures10 process11 signatures12 64 Antivirus detection for dropped file 29->64 66 Multi AV Scanner detection for dropped file 29->66 68 Machine Learning detection for dropped file 29->68
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/45814a3672b929cfc2f2851ce771869b0ea7ff587d1c0d349bfa92f8a11d9ed5/
Threat name:
Win32.Trojan.Skeeyah
Create hunting rule
Status:
Malicious
First seen:
2022-02-06 11:39:29 UTC
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iwauuntsxeu47qxsquooo4mgtmhkp72ypuoa2ne37kjprii5t3kq._file
Verdict:
malicious
Similar samples:
021c75ff572f76d20e164381de5dd9ce68d9e6e242adb581f52a804bbfff8771
DCRat
304edff857fa25804412b30701ed763a0bb2588b9301e8253951328338a12158
DCRat
51e25d5a8ed0c73573838dbf95a2b11789ca90a06600edbcf9a0137453a3db9c
DCRat
785ebbdf0f15d1bb1fd3bbe1fb5a3486dead09dae463c91368653510c3814aee
DCRat
8b28463392c4a0f9af89630bd6e72c8839e0f1684e2c0e18f93202b0a79a0d49
DCRat
a11a2862e303f48e23c13846e92cefca2f1ea2c739bfa762eea433d1353a9bd1
DCRat
+ 2'677 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer persistence rat spyware stealer
Link:
https://tria.ge/reports/220313-aebnxadggj/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
DcRat
Process spawned unexpected child process
Unpacked files
SH256 hash:
183491d192378aab0f633ff73a7cd91e4f85f900effb9acdd6959f27a67ddd84
MD5 hash:
9bcd2ad7e0cb8fc6bf5cf058c48663e9
SHA1 hash:
5ac55240685f1e130b64aa54d32196e25edaf814
Link:
https://www.unpac.me/results/f091bada-d5ad-4228-885a-7fb981d49421/
SH256 hash:
45814a3672b929cfc2f2851ce771869b0ea7ff587d1c0d349bfa92f8a11d9ed5
MD5 hash:
c0347c367d8fcde8d40ab0bb3d5a707b
SHA1 hash:
736286f32e6800bd9470427454a75904e944501b
Link:
https://www.unpac.me/results/f091bada-d5ad-4228-885a-7fb981d49421/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/45814a3672b929cfc2f2851ce771869b0ea7ff587d1c0d349bfa92f8a11d9ed5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/249857/

Comments