MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 467ad63f6a1235c46806e9da0af33d358e0428c50e8419de415948db720e56ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



DCRat


Vendor detections: 7


Intelligence 7 IOCs 1 YARA File information Comments

SHA256 hash: 467ad63f6a1235c46806e9da0af33d358e0428c50e8419de415948db720e56ee
SHA3-384 hash: b789d2e084c5f41a977ce565201f81c2605b65d1907c54b4b25c066c93f07fbab11878b7d8ac16adef225a9e72112cd5
SHA1 hash: 72914353ac9633c2c6677def4335fc1e9a4e4f55
MD5 hash: 6c82cf870db138a875cc7414334b1d32
humanhash: helium-paris-colorado-freddie
File name:6c82cf870db138a875cc7414334b1d32.exe
Download: download sample
Signature DCRat
File size:2'211'298 bytes
First seen:2022-08-31 09:50:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'463 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 49152:u9aIk67AORWEB2QeCkhUtmS5zwVf2904ocMBgkrLh/LaW:I11AORHB2QwhUHMYq4cxZ7
TLSH T1CAA511D5EA4980ACFC787AF919750F165E936B04392250CE6B587EE8173E8071CBFE42
TrID 71.8% (.EXE) Inno Setup installer (109740/4/30)
9.2% (.EXE) Win32 Executable Delphi generic (14182/79/4)
8.5% (.SCR) Windows screen saver (13101/52/3)
2.9% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon 99eb852cd4d40edd (2 x DCRat)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://furiosgr.isp26.admintest.ru/ImagepipeSqltemp.php

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://furiosgr.isp26.admintest.ru/ImagepipeSqltemp.php https://threatfox.abuse.ch/ioc/846773/

Intelligence


File Origin
# of uploads :
1
# of downloads :
281
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
80%
Tags:
dcrat greyware overlay packed shell32.dll
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Behaviour
Behavior Graph:
n/a
Threat name:
Win32.Trojan.Rasftuby
Status:
Malicious
First seen:
2022-08-26 01:04:35 UTC
File Type:
PE (Exe)
Extracted files:
75
AV detection:
10 of 26 (38.46%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Behaviour
Suspicious use of WriteProcessMemory
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
745c192fdc60623d68b017e55c60c7e43453908fb7fd6e6b6ac607422673e635
MD5 hash:
4689df5d214b12d4f899ff27384b23e2
SHA1 hash:
06f766a7cbe111fc5d51e0e99500a33314d70f02
SH256 hash:
467ad63f6a1235c46806e9da0af33d358e0428c50e8419de415948db720e56ee
MD5 hash:
6c82cf870db138a875cc7414334b1d32
SHA1 hash:
72914353ac9633c2c6677def4335fc1e9a4e4f55
Please note that we are no longer able to provide a coverage score for Virus Total.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments