MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 743b77ef58d332261379256b017179010a8d33fa4a8b5fbb78f977de6dff5028. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 743b77ef58d332261379256b017179010a8d33fa4a8b5fbb78f977de6dff5028
SHA3-384 hash: ebcea4373a16bce357eaf24a9a4b8c8113cf6ddf683e4bc0029dc4813ae0e52579574ad531ca7a1f8c05f68a1f4226bf
SHA1 hash: 97bd5e46749c874dc0e7e707429b165321556544
MD5 hash: cffb0e02aa400956a945c76b513f4940
humanhash: fix-connecticut-johnny-seven
File name:Software patch v2.5.2.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'563'282 bytes
First seen:2021-07-19 00:02:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:22G/nvxW3WFFbhEEjfzJSy3NjnZorvUv2C7/3q1j/eAT+48:2bA3y1dW/xiV
Threatray 505 similar samples on MalwareBazaar
TLSH T1DA7529027784DD11D06D163FF9EF541C47B8F9022B62F71B7A9E3399A4263A35E0A1CA
Reporter Anonymous
Tags:DCRat exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://83.220.173.160/PhpSecure.php https://threatfox.abuse.ch/ioc/161265/

Intelligence

File Origin
# of uploads :
1
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://bit.ly/3hMVIdd
Verdict:
Malicious activity
Analysis date:
2021-07-18 02:26:52 UTC
Tags:
stealer trojan rat backdoor dcrat evasion
Link:
https://app.any.run/tasks/2da8adad-a43d-428d-a04f-ba31692e32af

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172451/
Detection(s):
Win.Malware.Uztuby-9848412-0
Create hunting rule

Win.Packed.Uztuby-9851623-0
Create hunting rule

Win.Trojan.Uztuby-9855059-0
Create hunting rule

Win.Ransomware.Clinix-9868408-0
Create hunting rule

Win.Packed.Uztuby-9875336-0
Create hunting rule

Win.Malware.Qshell-9875653-0
Create hunting rule

Win.Packed.Uztuby-9877681-0
Create hunting rule

Win.Malware.Uztuby-9878616-0
Create hunting rule

Win.Packed.Uztuby-9878626-0
Create hunting rule

Win.Packed.Uztuby-9878629-0
Create hunting rule

Win.Packed.Uztuby-9878755-0
Create hunting rule

Win.Malware.Uztuby-9878756-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/22700f21-4ab2-48bd-9e19-feecc2369b70
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/817983
Signature
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Schedule system process
Sigma detected: System File Execution Location Anomaly
Sigma detected: WScript or CScript Dropper
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 450394 Sample: Software patch v2.5.2.exe Startdate: 19/07/2021 Architecture: WINDOWS Score: 100 59 Found malware configuration 2->59 61 Multi AV Scanner detection for dropped file 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 8 other signatures 2->65 10 Software patch v2.5.2.exe 3 10 2->10         started        13 ctfmon.exe 3 2->13         started        process3 file4 55 C:\Users\user\...\drivercrtDrivercrtnet.exe, PE32 10->55 dropped 57 C:\Users\...\rQLuXSbLnOVU5iHF4fqfsgykZs.vbe, data 10->57 dropped 16 wscript.exe 1 10->16         started        81 Multi AV Scanner detection for dropped file 13->81 83 Machine Learning detection for dropped file 13->83 85 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 13->85 signatures5 process6 process7 18 cmd.exe 1 16->18         started        process8 20 drivercrtDrivercrtnet.exe 1 18 18->20         started        24 conhost.exe 18->24         started        file9 47 C:\Windows\...\backgroundTaskHost.exe, PE32 20->47 dropped 49 C:\Windows\System32\KBDHU1\ctfmon.exe, PE32 20->49 dropped 51 C:\Users\user\Music\wermgr.exe, PE32 20->51 dropped 53 3 other malicious files 20->53 dropped 67 Multi AV Scanner detection for dropped file 20->67 69 Machine Learning detection for dropped file 20->69 71 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 20->71 73 2 other signatures 20->73 26 RuntimeBroker.exe 2 20->26         started        29 schtasks.exe 1 20->29         started        31 schtasks.exe 1 20->31         started        33 4 other processes 20->33 signatures10 process11 signatures12 75 Multi AV Scanner detection for dropped file 26->75 77 Machine Learning detection for dropped file 26->77 79 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 26->79 35 conhost.exe 29->35         started        37 conhost.exe 31->37         started        39 conhost.exe 33->39         started        41 conhost.exe 33->41         started        43 conhost.exe 33->43         started        45 conhost.exe 33->45         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/743b77ef58d332261379256b017179010a8d33fa4a8b5fbb78f977de6dff5028/
Threat name:
ByteCode-MSIL.Backdoor.LightStone
Create hunting rule
Status:
Malicious
First seen:
2021-07-18 21:25:45 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oq5xp32y2mzcme3zevvqc4lzaefi2m72jkfv7o3y7f3543p7kaua._file
Verdict:
malicious
Similar samples:
2131b75617c740ddba1b808e0decc1e7054e34e6ce51c91bc4b848a52050e728
DCRat
3194e2fb68c007cf2f6deaa1fb07b2cc68292ee87f37dff70ba142377e2ca1fa
DCRat
37b3a1d0c99b42d11596890640c076a18929f5087f924d22e9b751b3afd4f94c
DCRat
40f9c1d0e2e988dbd82d8a37141cf4b03e8cff1f427424ea0966c44cac999b8f
DCRat
4cba3cb0188c4a064f6dd99ead74f76156d73019e15eec1a3653b28c8ac7a112
DCRat
629c671a92b4a3af617c2d8fe133430ab77aac0acb07914f047f8868eb9ed92a
DCRat
748f35be261019103aae31d43b1fa88fda9cbc99043122e76b5c0a0d94cb808f
DCRat
b7700c66e40ddd73a718794c1f295d1a56251aa0cdb89b215120a09bb5e61e9e
DCRat
f60133f0545df116739879fd080e0fc688aece721a4123612ebaa479c2c551e0
DCRat
ff1cf221e44187ccf5382ba91b26991722b97d2dd0ef25ae0b5fda12425a4a93
DCRat
+ 495 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer rat spyware stealer
Link:
https://tria.ge/reports/210719-47nwqcwxpa/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
DCRat Payload
DcRat
Unpacked files
SH256 hash:
abbda62ca0b6ef56e2329bd04891df63e4bd07c3d0087ff3fbb8b881e99b0254
MD5 hash:
950d31605bae67654ea1efd39953bbfd
SHA1 hash:
d6f3767acd9dcfd9118b89da8810878292d96aa1
Link:
https://www.unpac.me/results/f3b73628-c8ed-41a2-9c94-293fecf18808/
SH256 hash:
4d017a85bb80c45a72fc576782f257c760d42662b9e7f3520b3650b47f7d70df
MD5 hash:
9bf7b9dbf7b5e3676b0ae2aba62fa627
SHA1 hash:
48e8982d624e74633923842eb9328ea088c3fd05
Link:
https://www.unpac.me/results/f3b73628-c8ed-41a2-9c94-293fecf18808/
SH256 hash:
743b77ef58d332261379256b017179010a8d33fa4a8b5fbb78f977de6dff5028
MD5 hash:
cffb0e02aa400956a945c76b513f4940
SHA1 hash:
97bd5e46749c874dc0e7e707429b165321556544
Link:
https://www.unpac.me/results/f3b73628-c8ed-41a2-9c94-293fecf18808/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/743b77ef58d332261379256b017179010a8d33fa4a8b5fbb78f977de6dff5028

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172451/

Comments