MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 46e646dcfb73f26f153653b020f9871da0dc1bbd39b518e159616e352ebee9fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 13


Intelligence 13 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 46e646dcfb73f26f153653b020f9871da0dc1bbd39b518e159616e352ebee9fc
SHA3-384 hash: 6b884bf88c815dc2630d5324bd2661352ec3225455561980761dc139ca70aebf94eaf24d9c3ad9a67cf031af478db8ae
SHA1 hash: 63f63f2ce50a5a98e6ba8a0e67671df967e124b0
MD5 hash: 4496e23ea38964f755d03126a21d4f07
humanhash: dakota-march-pip-undress
File name:46E646DCFB73F26F153653B020F9871DA0DC1BBD39B51.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:2'434'252 bytes
First seen:2024-01-12 20:50:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (430 x NirCmd, 392 x DCRat, 52 x RedLineStealer)
ssdeep 49152:IBJkS7CosHg6RCq7BK0ufaLN8Wt/FTxbW:yuzPlBAaZNNTlW
Threatray 613 similar samples on MalwareBazaar
TLSH T182B5CF06A9B26E73C2A53F35D4E7042D93B0DB223613EF5B360F55D6A8072619A132F7
TrID 74.5% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
16.2% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
2.9% (.EXE) Win64 Executable (generic) (10523/12/4)
1.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://898082lm.nyashmyash.top/linerequestPacketlowGeoProcessorlongpolldbdlePrivate.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
420
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/470597/
Detection(s):
SecuriteInfo.com.VBS.Encrypted.Gen.UNOFFICIAL
Create hunting rule

Win.Trojan.Uztuby-9855059-0
Create hunting rule

Win.Packed.Uztuby-10009381-0
Create hunting rule

Win.Packed.Uztuby-10015036-0
Create hunting rule

Win.Packed.Uztuby-10015799-0
Create hunting rule

Win.Packed.Uztuby-10015902-0
Create hunting rule

Win.Packed.Uztuby-10017372-0
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Loading a suspicious library
Creating a file in the Program Files subdirectories
Creating a file in the %temp% directory
Launching a process
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm installer lolbin overlay packed packed replace setupapi sfx shdocvw shell32 wscript
Link:
https://www.filescan.io/uploads/65a1a6371bf798554ab07ca5/reports/118b32ef-e08a-49cc-a436-a5ae5aa9bbce/overview
Verdict:
Malicious
Labled as:
Trojan.MSIL.Basic.8.Gen;Trojan.Uztuby
Link:
https://www.hybrid-analysis.com/sample/46e646dcfb73f26f153653b020f9871da0dc1bbd39b518e159616e352ebee9fc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/773f8896-b2c2-43ea-89e5-1749545f50fe
Result
Threat name:
DCRat, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1374021
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected DCRat
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1374021 Sample: 46E646DCFB73F26F153653B020F... Startdate: 12/01/2024 Architecture: WINDOWS Score: 100 144 898082lm.nyashmyash.top 2->144 158 Snort IDS alert for network traffic 2->158 160 Antivirus detection for URL or domain 2->160 162 Antivirus detection for dropped file 2->162 164 7 other signatures 2->164 15 46E646DCFB73F26F153653B020F9871DA0DC1BBD39B51.exe 3 6 2->15         started        signatures3 process4 file5 142 C:\serverBroker\agentBroker.exe, PE32 15->142 dropped 18 wscript.exe 1 15->18         started        21 conhost.exe 15->21         started        process6 signatures7 156 Windows Scripting host queries suspicious COM object (likely to drop second stage) 18->156 23 cmd.exe 1 18->23         started        process8 signatures9 166 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->166 26 agentBroker.exe 3 23 23->26         started        29 cmd.exe 23->29         started        31 conhost.exe 23->31         started        process10 file11 118 C:\serverBroker\SearchApp.exe, PE32 26->118 dropped 120 C:\Users\user\Saved Games\conhost.exe, PE32 26->120 dropped 122 C:\Users\user\Desktop\vJomZkEy.log, PE32 26->122 dropped 124 10 other malicious files 26->124 dropped 33 cmd.exe 1 26->33         started        36 PwCTgkhEsVaddvQPCTt.exe 29->36         started        39 conhost.exe 29->39         started        41 chcp.com 29->41         started        43 w32tm.exe 29->43         started        process12 file13 150 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 33->150 152 Uses ping.exe to sleep 33->152 154 Uses ping.exe to check the status of other devices and networks 33->154 45 PwCTgkhEsVaddvQPCTt.exe 14 13 33->45         started        50 conhost.exe 33->50         started        52 PING.EXE 1 33->52         started        54 chcp.com 1 33->54         started        102 C:\Users\user\Desktop\qsIgUcrR.log, PE32 36->102 dropped 104 C:\Users\user\Desktop\npVxytnV.log, PE32 36->104 dropped 106 C:\Users\user\Desktop\eySPkiHi.log, PE32 36->106 dropped 108 5 other malicious files 36->108 dropped 56 cmd.exe 36->56         started        signatures14 process15 dnsIp16 146 898082lm.nyashmyash.top 172.67.166.50, 49734, 49736, 49737 CLOUDFLARENETUS United States 45->146 134 C:\Users\user\Desktop\sWDVOJHa.log, PE32 45->134 dropped 136 C:\Users\user\Desktop\qMhUOqcZ.log, PE32 45->136 dropped 138 C:\Users\user\Desktop\ZFQpvExK.log, PE32 45->138 dropped 140 5 other malicious files 45->140 dropped 168 Multi AV Scanner detection for dropped file 45->168 170 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 45->170 58 cmd.exe 1 45->58         started        172 Uses ping.exe to sleep 56->172 60 PwCTgkhEsVaddvQPCTt.exe 56->60         started        63 conhost.exe 56->63         started        65 chcp.com 56->65         started        67 PING.EXE 56->67         started        file17 signatures18 process19 file20 69 PwCTgkhEsVaddvQPCTt.exe 58->69         started        72 conhost.exe 58->72         started        74 chcp.com 58->74         started        76 w32tm.exe 58->76         started        126 C:\Users\user\Desktop\wigFtvKa.log, PE32 60->126 dropped 128 C:\Users\user\Desktop\nFXPJBvt.log, PE32 60->128 dropped 130 C:\Users\user\Desktop\gHjPgmAE.log, PE32 60->130 dropped 132 5 other malicious files 60->132 dropped 78 cmd.exe 60->78         started        process21 file22 110 C:\Users\user\Desktop\tlxDcBqz.log, PE32 69->110 dropped 112 C:\Users\user\Desktop\kHoNsIaR.log, PE32 69->112 dropped 114 C:\Users\user\Desktop\WlDygiFw.log, PE32 69->114 dropped 116 5 other malicious files 69->116 dropped 80 cmd.exe 69->80         started        83 PwCTgkhEsVaddvQPCTt.exe 78->83         started        86 conhost.exe 78->86         started        88 chcp.com 78->88         started        90 w32tm.exe 78->90         started        process23 file24 148 Uses ping.exe to sleep 80->148 92 conhost.exe 80->92         started        94 C:\Users\user\Desktop\oKtxnHKV.log, PE32 83->94 dropped 96 C:\Users\user\Desktop\neZHgdoc.log, PE32 83->96 dropped 98 C:\Users\user\Desktop\ebahDfEn.log, PE32 83->98 dropped 100 5 other malicious files 83->100 dropped signatures25 process26
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/46e646dcfb73f26f153653b020f9871da0dc1bbd39b518e159616e352ebee9fc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/46e646dcfb73f26f153653b020f9871da0dc1bbd39b518e159616e352ebee9fc/
Threat name:
Win32.Trojan.Uztuby
Create hunting rule
Status:
Malicious
First seen:
2023-11-23 15:48:25 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
21 of 38 (55.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i3tenxh3opzg6fjwkoycb6mhdwqnyg55hg2rrykzmfxdklv65h6a._file
Verdict:
malicious
Similar samples:
18425dae9f0a49097d0abdd28ec465bfe2f4161b7849fb28494b8058a18ebcfc
DCRat
21db4cd681095da19d677cceaa96d61b988bbbc3be10bb834011c87c9641185c
DCRat
3477199ac35c44688a69664eb2d722607cff4e3a376a2d066eace87fe016debc
DCRat
8d4d7a9744daead89a8e5af92249aa6d709e4f91ff33c774ba6e8c8289ec2020
DCRat
e065974b0db0079fcc57cf5d209fa267c852772a58a68cee307a72c91d382a8e
DCRat
+ 603 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat rat
Link:
https://tria.ge/reports/240112-zm5pdsffa4/
Behaviour
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
2b93377ea087225820a9f8e4f331005a0c600d557242366f06e0c1eae003d669
MD5 hash:
d8bf2a0481c0a17a634d066a711c12e9
SHA1 hash:
7cc01a58831ed109f85b64fe4920278cedf3e38d
Link:
https://www.unpac.me/results/2b17d01a-5ea1-4d07-92ea-1baae7693793/
SH256 hash:
7c95d3b38114e7e4126cb63aadaf80085ed5461ab0868d2365dd6a18c946ea3a
MD5 hash:
e9ce850db4350471a62cc24acb83e859
SHA1 hash:
55cdf06c2ce88bbd94acde82f3fea0d368e7ddc6
Link:
https://www.unpac.me/results/2b17d01a-5ea1-4d07-92ea-1baae7693793/
SH256 hash:
4bd3f31993dde258b0df4d372afb3b253ab31fc28c0d9bccdf47a2fc2192306c
MD5 hash:
cb4f64103bd5deff10a66d8d2bd6a751
SHA1 hash:
814f5b9f7aa0ded61b01835397d802feecab9d69
Detections:
INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Link:
https://www.unpac.me/results/2b17d01a-5ea1-4d07-92ea-1baae7693793/
SH256 hash:
46e646dcfb73f26f153653b020f9871da0dc1bbd39b518e159616e352ebee9fc
MD5 hash:
4496e23ea38964f755d03126a21d4f07
SHA1 hash:
63f63f2ce50a5a98e6ba8a0e67671df967e124b0
Detections:
INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Link:
https://www.unpac.me/results/2b17d01a-5ea1-4d07-92ea-1baae7693793/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/46e646dcfb73f26f153653b020f9871da0dc1bbd39b518e159616e352ebee9fc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with unregistered version of .NET Reactor
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/470597/

Comments