MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76fbd6dbf2d6ff05e54a6a0e7eb8dce158d94a468e80e1c12844e2af2e951d0f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 76fbd6dbf2d6ff05e54a6a0e7eb8dce158d94a468e80e1c12844e2af2e951d0f
SHA3-384 hash: 36857b84c588a985198d41ba65ce07a5d754156240cc54c338676fc1385cbcd2010ec965e04ba79bf29a2979c4b94c2a
SHA1 hash: 9678b2ac5b6bbf002b64de2c224c03c566c576f0
MD5 hash: 80ae09068490ffc783d75026b345f8db
humanhash: hot-december-oklahoma-mexico
File name:80ae09068490ffc783d75026b345f8db
Download: download sample
Signature DCRat
Create hunting rule
File size:2'039'728 bytes
First seen:2021-12-16 15:47:17 UTC
Last seen:2021-12-16 18:43:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bfe0b60630c0b253d72c98f2b93f728c (1 x DCRat)
ssdeep 49152:kACilDsS3I95pp1zFMknZPXYlXSjzBpbgITKBkBg0Fl5WwvBC+aamJ33Kg:Cp8VJ0FzxkamJ
Threatray 400 similar samples on MalwareBazaar
TLSH T1DD956BDFE7308D6EFD80023D5A8D5E679A475E50815BF2CAD52BF2326BB9B680C11432
File icon (PE):PE icon
dhash icon 38e2a6a6a6f2e438 (1 x DCRat)
Reporter zbetcheckin
Tags:32 DCRat exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
174
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/214626/
Detection(s):
SecuriteInfo.com.Trojan.Siggen16.5914.22025.4418.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Searching for analyzing tools
Сreating synchronization primitives
Creating a file in the Windows subdirectories
Using the Windows Management Instrumentation requests
Launching a process
Creating a file
Creating a file in the Program Files subdirectories
DNS request
Creating a process from a recently created file
Creating a process with a hidden window
Sending an HTTP GET request
Reading critical registry keys
Searching for synchronization primitives
Creating a file in the %temp% directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/2285/overview
Behaviour
MalwareBazaar
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cd92b44e-735d-4559-a2e8-e81608d3e403
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/908627
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Hides threads from debuggers
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/76fbd6dbf2d6ff05e54a6a0e7eb8dce158d94a468e80e1c12844e2af2e951d0f/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-12-12 22:29:51 UTC
File Type:
PE (Exe)
Extracted files:
31
AV detection:
28 of 43 (65.12%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
ryuk
Create hunting rule
Similar samples:
1c0eb090ad769cdd943476e9300d57e553ad24f099408334b8c0370ee9bb7648
DCRat
200b64a2d1d30811d3feae4a361bd652104ecc7ac98c7c4804f0bbf2bb47028e
DCRat
4a78da86088eed90bd838d99d1afd5ceaca6c9c521be450639670f6d06a7fe77
DCRat
70d86fc8d1247dcd26ed0927411614973d45216d676978f768e14cb16d362536
DCRat
79afc9b39ba7fe7dd6ed282d39eb915bb47271d552177f62c6606b99901f9cd2
DCRat
8bc03680f98a99ea21d78a4a132be678f848a7209efa0656123745fba54fae03
DCRat
9dd91a17703dba0d4582e24431c17eac4fdca602ea8d14f4f43afcc2657b3bbc
DCRat
9fbdcf044aba61ae6c0678b5f83fc4bd8b589ba3a4fd12a5bef53e2ead494eed
DCRat
ed190afc14d4389527347867538df5949d132ce9d5da7c323e8812b08c0242be
DCRat
f2e2cb71a06ac2a95a02168fc3d91f160e6e07ca19c5e6d3d708a9a486dd3f92
DCRat
+ 390 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence spyware stealer suricata
Link:
https://tria.ge/reports/211216-s8rw4adbam/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Process spawned unexpected child process
suricata: ET MALWARE DCRAT Activity (GET)
Unpacked files
SH256 hash:
4d95e78bb8e3847805c34450dce2da1f2b9f33cc1412281878b1a31c7db5c7b3
MD5 hash:
631952acdb73b96c90f83634e6c5d7c2
SHA1 hash:
886c9323ff1b246a0f2a8ab0a2222ef79f10ce44
Link:
https://www.unpac.me/results/df0288fa-0076-482c-8ca5-6ba9e7526119/
SH256 hash:
aef52811b74cd4b4e93d4605c117ef4d6bbc3da0284b7f69c055779499cac551
MD5 hash:
bad98d0ea9eb5f8c9e808ef3856bf2e8
SHA1 hash:
096b2f7a027d492c26e9fc57ff5884973855f35e
Link:
https://www.unpac.me/results/df0288fa-0076-482c-8ca5-6ba9e7526119/
SH256 hash:
9a96cea4a2c0b7e9b8287cce4f9de973986de89207cba2da2e014bc5720e4688
MD5 hash:
b99d8cd73df5d73a59d62ca3879b0914
SHA1 hash:
27150b4e168948b09f996fc92aed3faa72b68bd4
Link:
https://www.unpac.me/results/df0288fa-0076-482c-8ca5-6ba9e7526119/
SH256 hash:
ceb50ae65c88a0815a01db963b269b6d99c02994b46a020d591c67b039986380
MD5 hash:
f794172f487ac4fe9a589fa9460b42ce
SHA1 hash:
1ceb1e4a516713b17da680ad4f4aca673cad6446
Link:
https://www.unpac.me/results/df0288fa-0076-482c-8ca5-6ba9e7526119/
SH256 hash:
76fbd6dbf2d6ff05e54a6a0e7eb8dce158d94a468e80e1c12844e2af2e951d0f
MD5 hash:
80ae09068490ffc783d75026b345f8db
SHA1 hash:
9678b2ac5b6bbf002b64de2c224c03c566c576f0
Link:
https://www.unpac.me/results/df0288fa-0076-482c-8ca5-6ba9e7526119/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/76fbd6dbf2d6ff05e54a6a0e7eb8dce158d94a468e80e1c12844e2af2e951d0f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe 76fbd6dbf2d6ff05e54a6a0e7eb8dce158d94a468e80e1c12844e2af2e951d0f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1890772/
Cape
Cape
https://www.capesandbox.com/analysis/214626/

Comments


Avatar
zbet commented on 2021-12-16 15:47:19 UTC

url : hxxp://coin-coin-data-6.com/files/3073_1639334837_9076.exe