MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d189b2a56282e1e2d02e850477ce9634e2340e3506875d2dfe759db232f4cf7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7d189b2a56282e1e2d02e850477ce9634e2340e3506875d2dfe759db232f4cf7
SHA3-384 hash: dff882945e118fb6a64045e22ed82e2f512de43a95e5347782aa343b32f6718fd2d8bbf39c21633f1efb69292e8530de
SHA1 hash: c02ede6aa0eef92618aea670086ab64561bf2775
MD5 hash: 910fad7c1789c24168ea0b2ff1ab7653
humanhash: nevada-chicken-fruit-august
File name:7d189b2a56282e1e2d02e850477ce9634e2340e350687.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'401'789 bytes
First seen:2022-09-17 06:26:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:U2G/nvxW3Ww0tyTKwxRBmX337oIRsGcQAKhGMrFxbf:UbA30yuwxiXbj3uMnb
Threatray 4'320 similar samples on MalwareBazaar
TLSH T111556B027E44CA22F0192633C2FF464847B4A8516BA6F72B7EB9376D55123937C1DACB
TrID 54.2% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
40.3% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
2.1% (.EXE) Win64 Executable (generic) (10523/12/4)
1.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://194.87.31.20/Traffic/sql4Templow/AuthBigload.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://194.87.31.20/Traffic/sql4Templow/AuthBigload.php https://threatfox.abuse.ch/ioc/850140/

Intelligence

File Origin
# of uploads :
1
# of downloads :
327
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7d189b2a56282e1e2d02e850477ce9634e2340e350687.exe
Verdict:
Malicious activity
Analysis date:
2022-09-17 06:27:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e3d44240-1d9f-48ba-86e7-0cecdd5944e4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/310841/
Detection(s):
Win.Trojan.Uztuby-9855059-0
Create hunting rule

Win.Ransomware.Clinix-9868408-0
Create hunting rule

Win.Packed.Basic-9952747-0
Create hunting rule

Win.Malware.Uztuby-9957322-0
Create hunting rule

Win.Packed.Uztuby-9963900-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Sending a custom TCP request
Creating a file in the Program Files subdirectories
Using the Windows Management Instrumentation requests
Launching a process
Creating a file in the Windows subdirectories
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/632568fc35180ec88e30577a/reports/dc7f0ae8-2467-4eb3-aefe-055613f892e5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2ece8201-c2b2-4207-9b3c-77f358d28783
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1072116
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 704658 Sample: 7d189b2a56282e1e2d02e850477... Startdate: 17/09/2022 Architecture: WINDOWS Score: 100 43 Snort IDS alert for network traffic 2->43 45 Antivirus detection for dropped file 2->45 47 Antivirus / Scanner detection for submitted sample 2->47 49 7 other signatures 2->49 9 7d189b2a56282e1e2d02e850477ce9634e2340e350687.exe 3 6 2->9         started        12 cMygjwxkdJMe.exe 2 2->12         started        15 WmiPrvSE.exe 2->15         started        17 25 other processes 2->17 process3 file4 39 C:\ServerComponentcrt\Webhost.exe, PE32 9->39 dropped 41 C:\...\uj3Zd0LQ82Sxnz43vPlOqz.vbe, data 9->41 dropped 19 wscript.exe 1 9->19         started        59 Multi AV Scanner detection for dropped file 12->59 signatures5 process6 process7 21 cmd.exe 1 19->21         started        process8 23 Webhost.exe 3 34 21->23         started        27 conhost.exe 21->27         started        file9 31 C:\Windows\debug\backgroundTaskHost.exe, PE32 23->31 dropped 33 C:\Windows\WaaS\services\WmiPrvSE.exe, PE32 23->33 dropped 35 C:\Users\Default\AppData\...\dllhost.exe, PE32 23->35 dropped 37 11 other files (7 malicious) 23->37 dropped 51 Antivirus detection for dropped file 23->51 53 Multi AV Scanner detection for dropped file 23->53 55 Machine Learning detection for dropped file 23->55 57 2 other signatures 23->57 29 schtasks.exe 23->29         started        signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7d189b2a56282e1e2d02e850477ce9634e2340e3506875d2dfe759db232f4cf7/
Threat name:
ByteCode-MSIL.Trojan.Uztuby
Create hunting rule
Status:
Malicious
First seen:
2022-09-17 06:27:14 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pumjwkswfaxb4lic5bieo7hjmnhcgqhdkbuhluw745m5wizpjt3q._file
Verdict:
malicious
Similar samples:
1e7276a9d78e8a5ac877c66ccd9b33b76d7a09bd9b31ac2af7becbc4ef2b2b96
DCRat
5ef771a9cb0f773bc48ebb6280824ae498fd4d9e66e3fd55737693d5c8efb6c5
DCRat
c31214bca48d5c4cf80d498e0a14c6b441e30d1caac1a283485adef37dfa453a
DCRat
fa3bf34d44f6303f6c929b4eb85bc202de73a9d81dc4ad37f486456163697091
DCRat
ff35ee184888d92a40041c93d499dd4a665a61092c66781c98ae9e71cd0016f8
DCRat
+ 4'310 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer rat
Link:
https://tria.ge/reports/220917-g7rn6adbfr/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
DCRat payload
DcRat
Process spawned unexpected child process
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/be56f23f-40a9-46ef-bd8e-38484f41cea1
Unpacked files
SH256 hash:
ced608d5f5826533e8b2df84558a3c460ba46ae716a15f99e4b4b67fbc06c106
MD5 hash:
6eb8cc11833900eae9eab4125de7dc55
SHA1 hash:
ac475d0a76ed27798bebd7b66e5801a3feac9d35
Link:
https://www.unpac.me/results/5639d148-8ca4-4054-b6d5-89016dce6cda/
SH256 hash:
c84dea67a6c2545d557a90c1a3e0bb8f98516c839a84449fa163433a7e0de858
MD5 hash:
22258e50376579879e7a14e2e1e6e632
SHA1 hash:
020b6c495704912c8e9b149f6c0c1d11339b42fd
Link:
https://www.unpac.me/results/5639d148-8ca4-4054-b6d5-89016dce6cda/
SH256 hash:
e287cc37da92a45a1b35b5844de93ea21498e1b78087ffcb976c0dbac328774a
MD5 hash:
a5de7adb9a722545b29190704f49efa5
SHA1 hash:
132d62d572a1dbba722adc4833e969644f1b7aa5
Link:
https://www.unpac.me/results/5639d148-8ca4-4054-b6d5-89016dce6cda/
SH256 hash:
7d189b2a56282e1e2d02e850477ce9634e2340e3506875d2dfe759db232f4cf7
MD5 hash:
910fad7c1789c24168ea0b2ff1ab7653
SHA1 hash:
c02ede6aa0eef92618aea670086ab64561bf2775
Link:
https://www.unpac.me/results/5639d148-8ca4-4054-b6d5-89016dce6cda/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7d189b2a56282e1e2d02e850477ce9634e2340e3506875d2dfe759db232f4cf7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:RansomwareTest4
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest5
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest6
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:Record_Breaker_Similarities
Create hunting rule
Author:DigitalPanda
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:sfx_pdb_winrar_restrict
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/310841/

Comments