MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6228bf0d24466827c7cce88f1317907701052adc7fefa77ad7104868dc221cd8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6228bf0d24466827c7cce88f1317907701052adc7fefa77ad7104868dc221cd8
SHA3-384 hash: 477c4a3c131f820ab9e35df250ea7e33296fed6ad82584332ea22da9036be5e8d31740aa8930006a12904c51705a1232
SHA1 hash: 0c4ba4ed512ccfe852f21666aa838510de6f75eb
MD5 hash: 30530001d558dd424119d052320c07ea
humanhash: stream-mobile-salami-texas
File name:30530001d558dd424119d052320c07ea.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:607'323 bytes
First seen:2023-07-27 18:40:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 12288:bRZ+IoG/n9IQxW3OBsdOSjLCNE5Ny93+KAzzNUF5SanRf:T2G/nvxW3WejLCNlUzzNiHV
Threatray 231 similar samples on MalwareBazaar
TLSH T1EED49C007BE84A35E1BE2B76D4B796159774B822AF3DDB4F5BC0459D1932380DE20BA3
TrID 54.2% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
40.3% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
2.1% (.EXE) Win64 Executable (generic) (10523/12/4)
1.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 4400d4ece4d408d4 (1 x DCRat)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://79.137.248.10/baseDle/Temporary/Cpucentral/Jsvoiddbrequestpipe/0http/Temporarytest6Cdn/RequestServerMultiDefaultcdn.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
292
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
30530001d558dd424119d052320c07ea.exe
Verdict:
Malicious activity
Analysis date:
2023-07-27 18:42:39 UTC
Tags:
dcrat
Link:
https://app.any.run/tasks/db03d1f3-d695-4990-bd91-1b1408a416d1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DCRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/435595/
Detection(s):
SecuriteInfo.com.VBS.Encrypted.Gen.UNOFFICIAL
Create hunting rule

Win.Trojan.Uztuby-9855059-0
Create hunting rule

Win.Ransomware.Clinix-9868408-0
Create hunting rule

Win.Malware.Uztuby-9972880-0
Create hunting rule

Win.Packed.Msilmamut-9987799-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Using the Windows Management Instrumentation requests
Launching a process
Sending a custom TCP request
Creating a file in the Program Files subdirectories
Creating a file in the %temp% directory
Sending a UDP request
Sending an HTTP GET request
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Enabling autorun
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm cmd cscript dcrat explorer greyware lolbin makop overlay packed replace schtasks setupapi shdocvw shell32 wscript
Link:
https://www.filescan.io/uploads/64c2ba3f5154a489a458d47c/reports/5bc1141e-166b-47c4-adc9-887fd7db631e/overview
Verdict:
Malicious
Labled as:
Trojan.MSIL.Basic.8.Gen;Trojan.Uztuby
Link:
https://www.hybrid-analysis.com/sample/6228bf0d24466827c7cce88f1317907701052adc7fefa77ad7104868dc221cd8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5e39ee5f-253d-4eaf-a8d1-4f70e0531562
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1281415
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Drops PE files with benign system names
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1281415 Sample: zDjebU8RX5.exe Startdate: 27/07/2023 Architecture: WINDOWS Score: 100 44 Snort IDS alert for network traffic 2->44 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 12 other signatures 2->50 9 zDjebU8RX5.exe 3 6 2->9         started        13 wininit.exe 3 2->13         started        15 wininit.exe 2 2->15         started        17 6 other processes 2->17 process3 dnsIp4 40 192.168.2.1 unknown unknown 9->40 36 C:\providercrtDhcp\fontwinsvc.exe, PE32 9->36 dropped 38 C:\providercrtDhcp\8OBndI.vbe, data 9->38 dropped 19 wscript.exe 1 9->19         started        file5 process6 process7 21 cmd.exe 1 19->21         started        process8 23 fontwinsvc.exe 5 8 21->23         started        27 conhost.exe 21->27         started        file9 32 C:\Program Files\...\RuntimeBroker.exe, PE32 23->32 dropped 34 C:\MSOCache\All Users\...\wininit.exe, PE32 23->34 dropped 52 Antivirus detection for dropped file 23->52 54 Multi AV Scanner detection for dropped file 23->54 56 Creates an undocumented autostart registry key 23->56 58 4 other signatures 23->58 29 RuntimeBroker.exe 2 23->29         started        signatures10 process11 dnsIp12 42 79.137.248.10, 49692, 49693, 49694 DINET-ASRU Russian Federation 29->42
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6228bf0d24466827c7cce88f1317907701052adc7fefa77ad7104868dc221cd8/
Threat name:
Win32.Trojan.Uztuby
Create hunting rule
Status:
Malicious
First seen:
2023-07-24 09:03:00 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
29 of 38 (76.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=miul6djeizucpr6m5chrgf4qo4aqkkw4p7x2o6wxcbegrxbcdtma._file
Verdict:
malicious
Similar samples:
1faa876f1399fb2010efd296d79c43f2b7dda0ec087991d542327515a405540c
DCRat
2ddc6af74674611a9cf929698260f5002f6910c6b6742df6de59279d83c6def0
DCRat
54d7bc30cd4f413106c5b57e5b29ea7ec560fccafdf08a4b8d7182715f4a3f94
DCRat
65b103acd11dc11bf5035671900b9d8921306153cbd4b5023b1e033bbd8ec4d9
DCRat
69cb12c0b363b013dd951d0d93ca6349c59190f1a027df0885dc8c6dbb81548c
DCRat
7b1c20701d541771b5819005700826712f27970a335dda7cf150e2564802d515
DCRat
+ 221 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer persistence rat
Link:
https://tria.ge/reports/230727-xbrmaahf8v/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
DCRat payload
DcRat
Modifies WinLogon for persistence
Process spawned unexpected child process
Unpacked files
SH256 hash:
e333ba1581f8f0c3d11eb597723412476641c9d160ba9080b52099ac1445b46f
MD5 hash:
7705058993fd8929dd319ef101098940
SHA1 hash:
a4a7e8e6f104f212875124d58d44dc3be7bff5c4
Link:
https://www.unpac.me/results/767ba0f9-dffa-4bb0-a349-855ae6ca25ef/
SH256 hash:
6228bf0d24466827c7cce88f1317907701052adc7fefa77ad7104868dc221cd8
MD5 hash:
30530001d558dd424119d052320c07ea
SHA1 hash:
0c4ba4ed512ccfe852f21666aa838510de6f75eb
Detections:
win_xorist_auto
Create hunting rule
Link:
https://www.unpac.me/results/767ba0f9-dffa-4bb0-a349-855ae6ca25ef/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6228bf0d2446/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6228bf0d24466827c7cce88f1317907701052adc7fefa77ad7104868dc221cd8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DCRat
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:DCRat Payload
Rule name:INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
Create hunting rule
Author:ditekSHen
Description:Detects executables containing bas64 encoded gzip files
Rule name:MALWARE_Win_DCRat
Create hunting rule
Author:ditekSHen
Description:DCRat payload
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:win_xorist_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.xorist.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/435595/

Comments