MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b734afbb65c47d96c53ddc24250cacf96e62bbc56e0c64eca978d3255bbc745. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4b734afbb65c47d96c53ddc24250cacf96e62bbc56e0c64eca978d3255bbc745
SHA3-384 hash: 237773edb9682395e11d3fa3e0f4469a56559c04d81daa0409358292aca986091c41901bf46932faa87b3a3371eb9362
SHA1 hash: 96f15634914d42e38dd1c6d3af808abf6f5bc05b
MD5 hash: aa92aa0efc2c36f0e4f57e014e8c3f84
humanhash: yellow-earth-tango-missouri
File name:aa92aa0efc2c36f0e4f57e014e8c3f84.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'870'437 bytes
First seen:2021-07-09 03:41:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:h2G/nvxW3WaWSj0MwkUYKi5sljULVkZXkhlr2tbWxiA/s1Y++4b:hbA31WSgzkQNjEkB22NHJ+2
Threatray 423 similar samples on MalwareBazaar
TLSH T161855C437995CD02D5AA1A37C6DF482417A9FD013F25E75A7ECB339862333D22D1A2CA
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://83.220.174.145/Serverplugin/Autosearcher/Wardemo/phpgenerator/tracedemo/Pythonrecord/coresearcher/gameplugin/Mathplugin/Cpulog/Autodata/Autosupport/Pythonscreen/Serversearcher/eternalimagejavascriptTrack.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://83.220.174.145/Serverplugin/Autosearcher/Wardemo/phpgenerator/tracedemo/Pythonrecord/coresearcher/gameplugin/Mathplugin/Cpulog/Autodata/Autosupport/Pythonscreen/Serversearcher/eternalimagejavascriptTrack.php https://threatfox.abuse.ch/ioc/158767/

Intelligence

File Origin
# of uploads :
1
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
aa92aa0efc2c36f0e4f57e014e8c3f84.exe
Verdict:
Malicious activity
Analysis date:
2021-07-09 03:42:33 UTC
Tags:
stealer evasion trojan rat backdoor dcrat
Link:
https://app.any.run/tasks/d0eb15e2-42fd-4f7d-acd4-ca1922cd176f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Dcrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/170594/
Detection(s):
Win.Malware.Uztuby-9848412-0
Create hunting rule

Win.Packed.Uztuby-9851623-0
Create hunting rule

Win.Trojan.Uztuby-9855059-0
Create hunting rule

Win.Ransomware.Clinix-9868408-0
Create hunting rule

Win.Packed.Uztuby-9875336-0
Create hunting rule

Win.Malware.Qshell-9875653-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3eee9fca-2fe3-45b0-85e6-1b6c2320a1ee
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/813844
Signature
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the user root directory
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Schedule system process
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 446255 Sample: D4XvGXEsWY.exe Startdate: 09/07/2021 Architecture: WINDOWS Score: 100 67 Found malware configuration 2->67 69 Multi AV Scanner detection for dropped file 2->69 71 Multi AV Scanner detection for submitted file 2->71 73 5 other signatures 2->73 10 D4XvGXEsWY.exe 3 6 2->10         started        14 Registry.exe 3 2->14         started        16 msiexec.exe 3 2->16         started        18 hkJmRKQxfMlpRhI.exe 2->18         started        process3 file4 65 C:\Adobe\Hostmonitor.exe, PE32 10->65 dropped 83 Drops executable to a common third party application directory 10->83 20 wscript.exe 1 10->20         started        85 Multi AV Scanner detection for dropped file 14->85 87 Machine Learning detection for dropped file 14->87 89 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 14->89 signatures5 process6 process7 22 cmd.exe 1 20->22         started        process8 24 Hostmonitor.exe 3 24 22->24         started        28 conhost.exe 22->28         started        file9 57 C:\Windows\SystemApps\...\SearchUI.exe, PE32 24->57 dropped 59 C:\Windows\System32\mtxdm\msiexec.exe, PE32 24->59 dropped 61 C:\Windows\System32\...\RuntimeBroker.exe, PE32 24->61 dropped 63 4 other malicious files 24->63 dropped 75 Multi AV Scanner detection for dropped file 24->75 77 Machine Learning detection for dropped file 24->77 79 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 24->79 81 4 other signatures 24->81 30 cmd.exe 24->30         started        33 schtasks.exe 1 24->33         started        35 schtasks.exe 1 24->35         started        37 5 other processes 24->37 signatures10 process11 signatures12 91 Uses ping.exe to sleep 30->91 93 Uses ping.exe to check the status of other devices and networks 30->93 39 conhost.exe 30->39         started        41 chcp.com 30->41         started        53 2 other processes 30->53 43 conhost.exe 33->43         started        45 conhost.exe 35->45         started        47 conhost.exe 37->47         started        49 conhost.exe 37->49         started        51 conhost.exe 37->51         started        55 2 other processes 37->55 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4b734afbb65c47d96c53ddc24250cacf96e62bbc56e0c64eca978d3255bbc745/
Threat name:
ByteCode-MSIL.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2021-07-05 06:35:00 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jnzuv65wlrd5s3ct3xbeeugkz6lomk54k3qmmtwks6gtevn3y5cq._file
Verdict:
malicious
Similar samples:
043933cf2d619c6da0e932c3e7a302f210f3ae09d924379f8ae257c9c291e292
DCRat
2131b75617c740ddba1b808e0decc1e7054e34e6ce51c91bc4b848a52050e728
DCRat
3194e2fb68c007cf2f6deaa1fb07b2cc68292ee87f37dff70ba142377e2ca1fa
DCRat
37b3a1d0c99b42d11596890640c076a18929f5087f924d22e9b751b3afd4f94c
DCRat
748f35be261019103aae31d43b1fa88fda9cbc99043122e76b5c0a0d94cb808f
DCRat
95f5464f22e6bbe285c912f7afd00836c7253babdf6b608cbbb5a063bb1f868f
DCRat
9d88e62b7da45ea1be4c02dec30b6a31b53d42c31d1785f4a992e55c0147d825
DCRat
aebfeecd15596e7b6b4a739157229d3a0e1ea320e9352e4e725663b5a4f367b1
DCRat
b7700c66e40ddd73a718794c1f295d1a56251aa0cdb89b215120a09bb5e61e9e
DCRat
dec05061330cdd96419eb3cddade5f8198f6c30e17551842a0c644e1642ddea1
DCRat
+ 413 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer rat spyware stealer
Link:
https://tria.ge/reports/210709-dfkcc5law6/
Behaviour
Creates scheduled task(s)
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in System32 directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
DCRat Payload
DcRat
Unpacked files
SH256 hash:
681cf57670749d05d7b8de2c91b0fcb7b7541bfcd511725c6fe207294b723482
MD5 hash:
78a2b8535c57b1b18fb14a3e73f549f0
SHA1 hash:
5802c5493be6d359675a268d528a69eb409411bb
Link:
https://www.unpac.me/results/ddfaedfa-bfa5-473e-a1c0-1473176f84c8/
SH256 hash:
4b734afbb65c47d96c53ddc24250cacf96e62bbc56e0c64eca978d3255bbc745
MD5 hash:
aa92aa0efc2c36f0e4f57e014e8c3f84
SHA1 hash:
96f15634914d42e38dd1c6d3af808abf6f5bc05b
Link:
https://www.unpac.me/results/ddfaedfa-bfa5-473e-a1c0-1473176f84c8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4b734afbb65c47d96c53ddc24250cacf96e62bbc56e0c64eca978d3255bbc745

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/170594/

Comments