MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63dd0a2a872fe7368088cd4916ed199f6ead9c5f5843facdcaa578bb68dedd57. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 63dd0a2a872fe7368088cd4916ed199f6ead9c5f5843facdcaa578bb68dedd57
SHA3-384 hash: 41368459600b855731407c9ed84352b2ab5509b1510012949c16471171cc1f92146d2ae49352f4001f42f005f2236d8b
SHA1 hash: 78f32cca891fb58e6f9445b28c9d2eda84c348d4
MD5 hash: 15aab4c1603b00c7f820ce86decbdf03
humanhash: uniform-washington-connecticut-mockingbird
File name:15aab4c1603b00c7f820ce86decbdf03.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'136'640 bytes
First seen:2022-05-11 10:51:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bc70c4fa605f17c85050b7c7b6d42e44 (15 x njrat, 12 x RedLineStealer, 10 x AgentTesla)
ssdeep 24576:eQ663wN5YU89Y5p6/4/p46msE4nbz7DFEBLQYekPLfOZX0w1zLVvi:eQ66GYD9YPcGYOmKV
Threatray 7'999 similar samples on MalwareBazaar
TLSH T13635EF12D6A747A6D9A3F7F8B0ADF27226292DBF136001DB3738FDD418E0E55046127A
TrID 38.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
13.0% (.EXE) Win64 Executable (generic) (10523/12/4)
8.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon e0c2a24163a2c2e0 (1 x DCRat)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://172.245.10.88/9/localAuthPythonMulti/Protect/auth/Processorprocess/dbExternalpipe/dump4/defaultRequest/php_Sql0/3ProtectsecureLine/1external/1Datalife/lineUpdate.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://172.245.10.88/9/localAuthPythonMulti/Protect/auth/Processorprocess/dbExternalpipe/dump4/defaultRequest/php_Sql0/3ProtectsecureLine/1external/1Datalife/lineUpdate.php https://threatfox.abuse.ch/ioc/549536/

Intelligence

File Origin
# of uploads :
1
# of downloads :
256
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/269658/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.50266300.32476.5331.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Using the Windows Management Instrumentation requests
Moving a file to the %temp% subdirectory
Creating a process from a recently created file
DNS request
Possible injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/17131/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
advpack.dll alien control.exe fareit packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/627b9567982f586844f17cb9/reports/ff3a8eb8-faf2-4feb-a548-372a7e0d1cce/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d3e2abae-2835-4cd1-8019-cbd8e16aa99a
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/991765
Signature
Creates processes via WMI
DLL reload attack detected
Drops PE files with a suspicious file extension
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Renames NTDLL to bypass HIPS
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected DCRat
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 624261 Sample: 90YxdLMe7T.exe Startdate: 11/05/2022 Architecture: WINDOWS Score: 100 76 Snort IDS alert for network traffic 2->76 78 Found malware configuration 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 5 other signatures 2->82 10 90YxdLMe7T.exe 1 5 2->10         started        12 cSxODqYTXd.exe.pif 1 2->12         started        17 wscript.exe 2->17         started        19 rundll32.exe 2->19         started        process3 dnsIp4 21 cmd.exe 1 10->21         started        23 cmd.exe 1 10->23         started        70 msMNvLHUhVpLllkmGpWQXIRlJOg.msMNvLHUhVpLllkmGpWQXIRlJOg 12->70 64 C:\Users\user\AppData\...\bcMfGstCAjBOw.dll, PE32 12->64 dropped 104 DLL reload attack detected 12->104 106 Writes to foreign memory regions 12->106 108 Renames NTDLL to bypass HIPS 12->108 110 Injects a PE file into a foreign processes 12->110 26 jsc.exe 12->26         started        112 Creates processes via WMI 17->112 file5 signatures6 process7 signatures8 28 cmd.exe 2 21->28         started        32 conhost.exe 21->32         started        92 Obfuscated command line found 23->92 94 Uses ping.exe to sleep 23->94 96 Drops PE files with a suspicious file extension 23->96 98 Uses ping.exe to check the status of other devices and networks 23->98 34 conhost.exe 23->34         started        process9 file10 62 C:\Users\user\AppData\Local\...\Osato.exe.pif, PE32 28->62 dropped 100 Obfuscated command line found 28->100 102 Uses ping.exe to sleep 28->102 36 Osato.exe.pif 5 28->36         started        41 PING.EXE 1 28->41         started        43 tasklist.exe 1 28->43         started        45 4 other processes 28->45 signatures11 process12 dnsIp13 66 msMNvLHUhVpLllkmGpWQXIRlJOg.msMNvLHUhVpLllkmGpWQXIRlJOg 36->66 58 C:\Users\user\AppData\...\cSxODqYTXd.exe.pif, PE32 36->58 dropped 60 C:\Users\user\AppData\...\bcMfGstCAjBOw.dll, PE32 36->60 dropped 84 DLL reload attack detected 36->84 86 Drops PE files with a suspicious file extension 36->86 88 Writes to foreign memory regions 36->88 90 2 other signatures 36->90 47 jsc.exe 15 2 36->47         started        51 cmd.exe 2 36->51         started        68 192.168.2.1 unknown unknown 41->68 file14 signatures15 process16 dnsIp17 72 172.245.10.88, 49771, 49772, 49773 SERVER-MANIACA United States 47->72 74 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 47->74 56 C:\Users\user\AppData\...\cSxODqYTXd.url, MS 51->56 dropped 54 conhost.exe 51->54         started        file18 signatures19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/63dd0a2a872fe7368088cd4916ed199f6ead9c5f5843facdcaa578bb68dedd57/
Threat name:
Win32.Trojan.Alien
Create hunting rule
Status:
Malicious
First seen:
2022-05-08 18:43:41 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
14 of 41 (34.15%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mpoqukuhf7ttnaeizvern3izt5xk3hc7lbb7vtokuv4lw2g63vlq._file
Verdict:
malicious
Similar samples:
08dbec2319a6dc6fc42ac20e63560ff2796b9106ab9cfd4ea3974b45460f4c6b
DCRat
1630f3fabf80e99d1990176b5736835496bdbd74610d1e43eefd7088e2529a6e
DCRat
33973d9455b047252dfdebb2227d9700c3fdbb7c662af7f26193c6d9ba5c45d8
DCRat
487178988d7c3bebc34fe2c40f1b19cd8f89f2753d552a19c4fe5da82f22d828
DCRat
6f61d466fdb609fd461ba5979fab4a908a5a1c61336566e1313d54d9bf484366
DCRat
7735a05791f9c8d69e6211b9d5df24a852fcf7e6e8bae876f4ac126023c52852
DCRat
77867995d1e8388230c9f71fee5e835b346bfcfef3fde418c6a773eea11b4afd
DCRat
b1adee00a132b96a6f457031953b01fd1e322c57bff3fc9517b7d92d1ba884f4
DCRat
ce2644d2d9973ab0a3004942cef2d74d210882bea29d8b698c7af02d308b289e
DCRat
daa8e379d6103bf5e65fad184f1f7aa23c53bd6dbd57196e1daced63dfccd36d
DCRat
+ 7'989 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence suricata
Link:
https://tria.ge/reports/220511-mydntsbael/
Behaviour
Enumerates processes with tasklist
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Suspicious use of NtCreateUserProcessOtherParentProcess
suricata: ET MALWARE DCRAT Activity (GET)
Unpacked files
SH256 hash:
80929c6e2d45b6db9657f6600074fb508983d73f81469f9fa3725aa3b1ab50d6
MD5 hash:
3a70da3c840408f62c7c6a3b01820c70
SHA1 hash:
ad198fd0f74edfe5f5c9b6d49f2aabbab8d60da1
Link:
https://www.unpac.me/results/fca28585-7a26-40a4-8533-ddc69fde36ab/
SH256 hash:
63dd0a2a872fe7368088cd4916ed199f6ead9c5f5843facdcaa578bb68dedd57
MD5 hash:
15aab4c1603b00c7f820ce86decbdf03
SHA1 hash:
78f32cca891fb58e6f9445b28c9d2eda84c348d4
Link:
https://www.unpac.me/results/fca28585-7a26-40a4-8533-ddc69fde36ab/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/63dd0a2a872fe7368088cd4916ed199f6ead9c5f5843facdcaa578bb68dedd57

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/269658/

Comments