MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b28463392c4a0f9af89630bd6e72c8839e0f1684e2c0e18f93202b0a79a0d49. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b28463392c4a0f9af89630bd6e72c8839e0f1684e2c0e18f93202b0a79a0d49
SHA3-384 hash: 8779d2526a7242f6b465e12dcebefd48719eb19ea605c9362c8f91727108ac95f24f0d4dcc0b4c15d6a4f0a29a8c4b84
SHA1 hash: e4df105cb32e9e968da9fab98760b3eb6e483b83
MD5 hash: bf31a276762d973840aa374f13c8aecc
humanhash: tango-tennessee-don-ack
File name:bf31a276762d973840aa374f13c8aecc
Download: download sample
Signature DCRat
Create hunting rule
File size:1'289'899 bytes
First seen:2022-01-16 23:35:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:U2G/nvxW3Ww0t2AVrEY/jLQTmBMKYcWzF+4u:UbA302AVrFLqcNz
Threatray 1'230 similar samples on MalwareBazaar
TLSH T1805539027A48DD11D02A1A37C5EF892447ACBE413A23DB5E7E9E736D66523B31D0D2CE
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter zbetcheckin
Tags:32 DCRat exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://37.46.130.214/Longpoll2External/Line/6/Mariadb/LinuxMariadbAuthPipe/dbvm3/CentralTowordpress/4Temporarydb/Datalifejs/lineSqlPackettemporary/CdnHttpProton/jsLineGenerator2/4Pipe6/javascriptServergeo9/Js_asyncCentral/SqlVm/securegeodefault.php https://threatfox.abuse.ch/ioc/297348/

Intelligence

File Origin
# of uploads :
1
# of downloads :
231
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bf31a276762d973840aa374f13c8aecc
Verdict:
Malicious activity
Analysis date:
2022-01-16 23:38:21 UTC
Tags:
trojan rat backdoor dcrat stealer
Link:
https://app.any.run/tasks/dbdbceda-6239-4f75-aef9-8cb4d6243834

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/219662/
Detection(s):
Win.Malware.Uztuby-9848412-0
Create hunting rule

Win.Packed.Uztuby-9851623-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Sending an HTTP GET request
Creating a file in the %temp% directory
Reading critical registry keys
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
DNS request
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Launching a process
Creating a file in the system32 subdirectories
Creating a file in the Program Files subdirectories
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/4394/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware makop overlay packed packed replace.exe setupapi.dll shdocvw.dll shell32.dll update.exe
Link:
https://www.filescan.io/uploads/61e4acbed0a2685065c12dd6/reports/bd8f5a55-dbd3-492f-b79a-c86048784e7a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bc18c1f6-e643-4b63-850a-0e8fd5ab5f63
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/921497
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates an autostart registry key pointing to binary in C:\Windows
Creates multiple autostart registry keys
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 553975 Sample: vM7Kmfxa89 Startdate: 17/01/2022 Architecture: WINDOWS Score: 100 44 Found malware configuration 2->44 46 Antivirus detection for URL or domain 2->46 48 Antivirus detection for dropped file 2->48 50 10 other signatures 2->50 9 vM7Kmfxa89.exe 3 6 2->9         started        12 conhost.exe 3 2->12         started        15 wininit.exe 3 2->15         started        17 8 other processes 2->17 process3 dnsIp4 38 C:\...\fontperfDllintoRuntimehost.exe, PE32 9->38 dropped 20 wscript.exe 1 9->20         started        60 Antivirus detection for dropped file 12->60 62 Multi AV Scanner detection for dropped file 12->62 64 Machine Learning detection for dropped file 12->64 40 37.46.130.214, 49745, 49757, 49762 THEFIRST-ASRU Russian Federation 17->40 42 192.168.2.1 unknown unknown 17->42 66 Tries to harvest and steal browser information (history, passwords, etc) 17->66 file5 signatures6 process7 process8 22 cmd.exe 1 20->22         started        process9 24 fontperfDllintoRuntimehost.exe 4 11 22->24         started        28 conhost.exe 22->28         started        file10 32 C:\Windows\System32\...\conhost.exe, PE32 24->32 dropped 34 C:\Windows\ShellNew\wininit.exe, PE32 24->34 dropped 36 C:\...\LkZjUeobBXMnoAxNyNSCoZwi.exe, PE32 24->36 dropped 52 Antivirus detection for dropped file 24->52 54 Multi AV Scanner detection for dropped file 24->54 56 Machine Learning detection for dropped file 24->56 58 4 other signatures 24->58 30 fontperfDllintoRuntimehost.exe 2 24->30         started        signatures11 process12
Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-12 21:11:00 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
23 of 43 (53.49%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rmuemm4sysqptl4jmmf5nzzmra46b4lijywa4ghzgiblbj42bveq._file
Verdict:
malicious
Similar samples:
0bc78b7c85f56566d4a7d5698935a3b4147648588cda45ee1b320fc2489f4c4d
DCRat
304edff857fa25804412b30701ed763a0bb2588b9301e8253951328338a12158
DCRat
51b8434c68594113a4036358e477fe1ae1b4cc0b99d653b224250e24537d87e2
DCRat
5487f2263ad9238d80e7db399d980f1bb66c1c5b43d5595165e097ee385ddb53
DCRat
6e491124fc83eb50eae434f1aafe070f9dba30d2ed03d10abd7cc2d91fcfc4dd
DCRat
8b28463392c4a0f9af89630bd6e72c8839e0f1684e2c0e18f93202b0a79a0d49
DCRat
95155b1eb26b2f4d548de9b64239aa4339c191a56b9f1e61697351dced1c9bc7
DCRat
da685aede35b040929ea3cd659e921c89fe64e93551a94440ec7f9f8b1f85802
DCRat
+ 1'220 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence spyware stealer
Link:
https://tria.ge/reports/220116-3lj8vagch7/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Process spawned unexpected child process
Unpacked files
SH256 hash:
3502148777d809ef7ac93b154fc84314d4ed61d5d0523dc5935002d06fd9f9de
MD5 hash:
bc38bdd1f23854caac3531fa37fd7951
SHA1 hash:
490db754b555556008da60333ca6ef19da36767d
Link:
https://www.unpac.me/results/96286538-79b1-48e6-a475-35adccafcb15/
SH256 hash:
56fe11533f60f08bbd9514b3e866e07fe67b4b2d842b9c20667ab6fb402e6bde
MD5 hash:
a5380afd946a57bd6dc269b56d40758b
SHA1 hash:
98dd35406c3d35df6ec15cf5ef1f4d82e050a909
Link:
https://www.unpac.me/results/96286538-79b1-48e6-a475-35adccafcb15/
SH256 hash:
8b28463392c4a0f9af89630bd6e72c8839e0f1684e2c0e18f93202b0a79a0d49
MD5 hash:
bf31a276762d973840aa374f13c8aecc
SHA1 hash:
e4df105cb32e9e968da9fab98760b3eb6e483b83
Link:
https://www.unpac.me/results/96286538-79b1-48e6-a475-35adccafcb15/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8b28463392c4a0f9af89630bd6e72c8839e0f1684e2c0e18f93202b0a79a0d49

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe 8b28463392c4a0f9af89630bd6e72c8839e0f1684e2c0e18f93202b0a79a0d49

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1982279/
Cape
Cape
https://www.capesandbox.com/analysis/219662/

Comments