MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 467ad63f6a1235c46806e9da0af33d358e0428c50e8419de415948db720e56ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DCRat

Vendor detections: 7

Intelligence 7 IOCs 1 YARA File information Comments

SHA256 hash:	467ad63f6a1235c46806e9da0af33d358e0428c50e8419de415948db720e56ee
SHA3-384 hash:	b789d2e084c5f41a977ce565201f81c2605b65d1907c54b4b25c066c93f07fbab11878b7d8ac16adef225a9e72112cd5
SHA1 hash:	72914353ac9633c2c6677def4335fc1e9a4e4f55
MD5 hash:	6c82cf870db138a875cc7414334b1d32
humanhash:	helium-paris-colorado-freddie
File name:	6c82cf870db138a875cc7414334b1d32.exe
Download:	download sample
Signature	DCRat Create hunting rule
File size:	2'211'298 bytes
First seen:	2022-08-31 09:50:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'463 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep	49152:u9aIk67AORWEB2QeCkhUtmS5zwVf2904ocMBgkrLh/LaW:I11AORHB2QwhUHMYq4cxZ7
TLSH	T1CAA511D5EA4980ACFC787AF919750F165E936B04392250CE6B587EE8173E8071CBFE42
TrID	71.8% (.EXE) Inno Setup installer (109740/4/30) 9.2% (.EXE) Win32 Executable Delphi generic (14182/79/4) 8.5% (.SCR) Windows screen saver (13101/52/3) 2.9% (.EXE) Win32 Executable (generic) (4505/5/1) 1.9% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):
dhash icon	99eb852cd4d40edd (2 x DCRat)
Reporter	abuse_ch
Tags:	DCRat exe

abuse_ch

DCRat C2:
http://furiosgr.isp26.admintest.ru/ImagepipeSqltemp.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://furiosgr.isp26.admintest.ru/ImagepipeSqltemp.php	https://threatfox.abuse.ch/ioc/846773/

Intelligence

File Origin

# of uploads :

# of downloads :

281

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/306786/

Detection(s):

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.11697.51.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Searching for synchronization primitives

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/36146/overview

Behaviour

MalwareBazaar

CheckCmdLine

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

80%

Tags:

dcrat greyware overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/630f2f5ce87b88e71be74805/reports/3d99e0ea-6384-4355-97cd-ecea1119514f/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

52 / 100

Link:

https://www.joesandbox.com/analysis/1061471

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/467ad63f6a1235c46806e9da0af33d358e0428c50e8419de415948db720e56ee/

Threat name:

Win32.Trojan.Rasftuby

Status:

Malicious

First seen:

2022-08-26 01:04:35 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

10 of 26 (38.46%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=iz5nmp3kci24i2ag5hnav4z5gwhaikgfb2cbtxsblfenw4qok3xa._file

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/220831-lvhb6sebb5/

Behaviour

Suspicious use of WriteProcessMemory

Loads dropped DLL

Executes dropped EXE

Unpacked files

SH256 hash:

745c192fdc60623d68b017e55c60c7e43453908fb7fd6e6b6ac607422673e635

MD5 hash:

4689df5d214b12d4f899ff27384b23e2

SHA1 hash:

06f766a7cbe111fc5d51e0e99500a33314d70f02

Link:

https://www.unpac.me/results/cb0f5d36-e9f4-41ac-9ed3-a07294497c02/

SH256 hash:

467ad63f6a1235c46806e9da0af33d358e0428c50e8419de415948db720e56ee

MD5 hash:

6c82cf870db138a875cc7414334b1d32

SHA1 hash:

72914353ac9633c2c6677def4335fc1e9a4e4f55

Link:

https://www.unpac.me/results/cb0f5d36-e9f4-41ac-9ed3-a07294497c02/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/306786/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample