MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c8bc051a42578631ab04380a0daef57e67abd8cf1a272e75213285929a74c5e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c8bc051a42578631ab04380a0daef57e67abd8cf1a272e75213285929a74c5e
SHA3-384 hash: 187e93a1fcaf0674934507069c36ebe2bf9ab811124fa0d72f86d3b9585b40389376dc23f649fc499752c9004802cdac
SHA1 hash: 214c8c0b3d7c898e415778985d7ce11da7615da5
MD5 hash: eff7b76160e2b43f723ed55925376133
humanhash: aspen-papa-johnny-paris
File name:EFF7B76160E2B43F723ED55925376133.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:11'710'464 bytes
First seen:2024-01-03 13:05:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 140094f13383e9ae168c4b35b6af3356 (32 x DCRat, 11 x CoinMiner, 10 x njrat)
ssdeep 196608:qW6EaHc9MZoA6Sv1A9d+EMep3MB8dNcb:563Hs5NbMe9MubY
Threatray 128 similar samples on MalwareBazaar
TLSH T15CC633BF5AFF7EC4D4343AF82EA6976289D7A1C1C5974F1D4E0C60686D8017326321AE
TrID 32.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.8% (.EXE) Win32 Executable (generic) (4505/5/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://a0899050.xsph.ru/_Defaultwindows.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
363
Origin country :
NL NL
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Creating a file in the Program Files subdirectories
Using the Windows Management Instrumentation requests
Launching a process
Creating a file in the Windows subdirectories
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Creating a window
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit lokibot remcos stealer
Link:
https://www.filescan.io/uploads/65955bbeeabaed070175579c/reports/1d2a8fc0-31b9-4cc0-8f67-26b9ef47b5d8/overview
Verdict:
Malicious
Labled as:
ExNuma.Generic
Link:
https://www.hybrid-analysis.com/sample/8c8bc051a42578631ab04380a0daef57e67abd8cf1a272e75213285929a74c5e
Result
Verdict:
MALICIOUS
Malware family:
StrelaStealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4552a8c3-c3c1-4f04-8b88-5aa1064b4c6e
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1369260
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Drops executable to a common third party application directory
Drops PE files to the user root directory
Drops PE files with benign system names
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1369260 Sample: tbyt9ckmFe.exe Startdate: 03/01/2024 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic 2->51 53 Found malware configuration 2->53 55 Antivirus detection for dropped file 2->55 57 10 other signatures 2->57 7 tbyt9ckmFe.exe 3 2->7         started        10 Registry.exe 2 2->10         started        process3 file4 31 C:\Users\user\AppData\Local\Temp\load1.exe, PE32 7->31 dropped 33 C:\Users\user\AppData\Local\...\LOADERr.exe, PE32+ 7->33 dropped 13 load1.exe 4 24 7->13         started        17 LOADERr.exe 13 7->17         started        59 Antivirus detection for dropped file 10->59 61 Multi AV Scanner detection for dropped file 10->61 63 Machine Learning detection for dropped file 10->63 signatures5 process6 file7 35 C:\Windows\System32\zCxsjIsZjlJoFFDCtOu.exe, PE32 13->35 dropped 37 C:\WindowsLAMBKUP\zCxsjIsZjlJoFFDCtOu.exe, PE32 13->37 dropped 39 C:\Users\Public\dwm.exe, PE32 13->39 dropped 47 7 other malicious files 13->47 dropped 65 Antivirus detection for dropped file 13->65 67 Multi AV Scanner detection for dropped file 13->67 69 Machine Learning detection for dropped file 13->69 71 4 other signatures 13->71 19 schtasks.exe 13->19         started        21 schtasks.exe 13->21         started        23 schtasks.exe 13->23         started        29 30 other processes 13->29 41 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 17->41 dropped 43 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 17->43 dropped 45 C:\Users\user\AppData\Local\...\python311.dll, PE32+ 17->45 dropped 49 7 other malicious files 17->49 dropped 25 LOADERr.exe 1 17->25         started        27 conhost.exe 17->27         started        signatures8 process9
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8c8bc051a42578631ab04380a0daef57e67abd8cf1a272e75213285929a74c5e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8c8bc051a42578631ab04380a0daef57e67abd8cf1a272e75213285929a74c5e/
Threat name:
Win32.Trojan.ExNuma
Create hunting rule
Status:
Malicious
First seen:
2023-12-21 09:05:05 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 23 (86.96%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rsf4auneev4gggvqioakbwxpk7thvpmm6grhfz2scmufsknhjrpa._file
Verdict:
malicious
Similar samples:
4690a17fffe8940aab38a0e88ef7fef186a5995e4d00e2d0cccde30ceaafcb9c
DCRat
68b4f3aa874ed36af78042c8a7d25ae03a362b0b9eede86fe714451844325357
DCRat
80cc02b76df0e84c09c64a9ecc3f746e4a776dde0abef216b9bf528ec2ddba4c
DCRat
9fe02aaada149d3806300b2e860386533ef371df36842c212e2483642086dd37
DCRat
db27a1103437042989486896fb714fd8cd59a856a7db453bbcc2162794b3fde6
DCRat
+ 118 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer pyinstaller rat
Link:
https://tria.ge/reports/240103-qb3afsdbcl/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Detects Pyinstaller
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
DCRat payload
DcRat
Process spawned unexpected child process
Unpacked files
SH256 hash:
426266b0d2d3d188603b863fb0674f8cdeafb51057e75be69465412ec48e73e5
MD5 hash:
49ca93967da1e1e537a2a7c5c7281a6b
SHA1 hash:
5d3f4ead9ea9c4ca7464f007e0e103da922550c4
Detections:
PyInstaller
Create hunting rule
Link:
https://www.unpac.me/results/e958423a-7a1f-44d2-aae1-6f095ad9a3d8/
SH256 hash:
8c8bc051a42578631ab04380a0daef57e67abd8cf1a272e75213285929a74c5e
MD5 hash:
eff7b76160e2b43f723ed55925376133
SHA1 hash:
214c8c0b3d7c898e415778985d7ce11da7615da5
Link:
https://www.unpac.me/results/e958423a-7a1f-44d2-aae1-6f095ad9a3d8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.66
Link:
https://yomi.yoroi.company/submissions/8c8bc051a42578631ab04380a0daef57e67abd8cf1a272e75213285929a74c5e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments