MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4766063b1078d7f10cf8ba01b2a6116ecccd9a617f1ad2e0912a869d0c42772c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4766063b1078d7f10cf8ba01b2a6116ecccd9a617f1ad2e0912a869d0c42772c
SHA3-384 hash: 7513ab1eb3deaa1ee81d09f3920fb2bd0399cba459f373ffdc3cfba45dfd4f11725c67b492d911409f8f7ba1225a5d46
SHA1 hash: b3f0cf3da5bcf75d15d14c6d9719ace41165338d
MD5 hash: 909570c37d5cd3165461458d9cd60c4b
humanhash: gee-ceiling-pasta-quebec
File name:909570c37d5cd3165461458d9cd60c4b.bin.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:3'087'496 bytes
First seen:2023-07-10 19:54:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f6baa5eaa8231d4fe8e922a2e6d240ea (37 x CoinMiner, 22 x DCRat, 15 x LummaStealer)
ssdeep 49152:G654FkJ0qNvcnjHssqR+2lL4teY0R9wzbTmPn5RkW5tTSCLW71:G654FknNojHsNR+PD0RCTmPn5S4tT5Lo
Threatray 107 similar samples on MalwareBazaar
TLSH T1CBE533853A8DC4F0D4A6653079BA2D603F742D3C8F6022DF6749753A58B73C3A63EA46
TrID 43.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
27.6% (.EXE) Win64 Executable (generic) (10523/12/4)
13.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) OS/2 Executable (generic) (2029/13)
5.2% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 92e0b09ee6dada62 (10 x RedLineStealer, 3 x CoinMiner, 2 x DCRat)
Reporter abuse_ch
Tags:DCRat exe signed

Code Signing Certificate

Organisation:34g43g34g34
Issuer:34g43g34g34
Algorithm:sha256WithRSAEncryption
Valid from:2023-02-24T00:00:00Z
Valid to:2028-02-24T00:00:00Z
Serial number: 0b06e7a358588960
Intelligence: 10 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 3354c4c063e2430b70ef77c885a15af66f20a10029e20b9b24a1028daa6b5420
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
DCRat C2:
http://965092.clmonth.nyashteam.top/JsProtectDefaulttrafficLocal.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
307
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
909570c37d5cd3165461458d9cd60c4b.bin.exe
Verdict:
Malicious activity
Analysis date:
2023-07-10 19:54:44 UTC
Tags:
rat backdoor dcrat stealer
Link:
https://app.any.run/tasks/99ec52be-1d4c-4477-a6b2-c183a3ec6ce5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/414800/
Detection(s):
Win.Keylogger.Gencbl-9969771-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Moving a file to the %temp% subdirectory
Creating a process from a recently created file
Replacing files
Creating a file
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Creating a file in the Program Files subdirectories
Launching many processes
Unauthorized injection to a recently created process
Blocking the User Account Control
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/97056/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
keylogger lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/64ac6218b1d2dc145c1c284f/reports/3fd11ff9-bff8-4126-87be-e698c0b51110/overview
Verdict:
Malicious
Labled as:
Keylogger.Gencbl
Link:
https://www.hybrid-analysis.com/sample/4766063b1078d7f10cf8ba01b2a6116ecccd9a617f1ad2e0912a869d0c42772c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/dbadf1fa-0143-46df-aa24-2bb07a61c5b2
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1270142
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4766063b1078d7f10cf8ba01b2a6116ecccd9a617f1ad2e0912a869d0c42772c/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Suspicious
First seen:
2023-07-10 19:55:07 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=i5tamoyqpdl7cdhyxia3fjqrn3gm3gtbp4nnfyerfkdj2dcco4wa._file
Verdict:
malicious
Similar samples:
02eac3477d8072f8a2e1eb518a741c467ec260aee8766b2ecbbe99bee947844a
DCRat
1ac36deadf79f1d911a8cd2232d5d86f39870c8041c52196f87f6390f132fa85
DCRat
4c7f9e9e2cc9d84e89708427b60f8151015b6124523d5a933fb4fb9a9c4f9638
DCRat
a0df043771d7abc922ee467a92bad5e31001e36f978b5d56e415e853cba7f761
DCRat
c07572117f9dda3d61518694a205940da38d6d0baef87df01deacdefefe6fd81
DCRat
e262e47a76916a2f919373cd4ba175953e9a81687ea27e03c4d5e998b65ee9b4
DCRat
+ 97 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat evasion infostealer rat spyware stealer trojan
Link:
https://tria.ge/reports/230710-ym4lnaed2y/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Views/modifies file attributes
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Checks whether UAC is enabled
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
DCRat payload
DcRat
Process spawned unexpected child process
UAC bypass
Unpacked files
SH256 hash:
26b0e516e8a22268417f141229fcfee4050c4fd4861b1d45db7393f5ed114637
MD5 hash:
524230600c1648d3d6a405f9cc2950fc
SHA1 hash:
4029979ca0f104d4562b435d25871ed34326fc20
Link:
https://www.unpac.me/results/85a84fe1-790d-4f28-b218-9d45e3e71097/
SH256 hash:
4766063b1078d7f10cf8ba01b2a6116ecccd9a617f1ad2e0912a869d0c42772c
MD5 hash:
909570c37d5cd3165461458d9cd60c4b
SHA1 hash:
b3f0cf3da5bcf75d15d14c6d9719ace41165338d
Link:
https://www.unpac.me/results/85a84fe1-790d-4f28-b218-9d45e3e71097/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4766063b1078/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DCRat
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4766063b1078d7f10cf8ba01b2a6116ecccd9a617f1ad2e0912a869d0c42772c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe 4766063b1078d7f10cf8ba01b2a6116ecccd9a617f1ad2e0912a869d0c42772c

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/414800/
  
URLhaus
https://urlhaus.abuse.ch/url/2680506/
  
Delivery method
Distributed via web download

Comments