MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f2ff0367f882b4ba4f7d29d4e919bebad0c48519d245305af9a791e5b450a17. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8f2ff0367f882b4ba4f7d29d4e919bebad0c48519d245305af9a791e5b450a17
SHA3-384 hash: 1d1961e77c484d6dbb9e9366c75e467695bd678ad35e02993d4e93e8879f3f67a34b2d922ff10b4be01d16b12a8a5f1f
SHA1 hash: 7ee242b196f59a4667cf1c9a3f7f879d4c0dc10a
MD5 hash: b2c8d8738599f3f590fbf1d4fbcc5c14
humanhash: washington-princess-grey-fruit
File name:b2c8d8738599f3f590fbf1d4fbcc5c14.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:14'522'880 bytes
First seen:2022-03-14 12:56:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d59a4a699610169663a929d37c90be43 (75 x DCRat, 22 x njrat, 15 x SalatStealer)
ssdeep 393216:c930kIzqc5EIBt/ex4BulvsrFJCpqMCtf4:cuzqc3t/+4BKEhJCpqMCtf4
TLSH T13CE6E0E1794AA2DFC18A45B4E512CF03D41D1BF586248942DC7EB4BDEBB3D9611CAF08
File icon (PE):PE icon
dhash icon e88e968c8c8c88b2 (1 x DCRat, 1 x RecordBreaker)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://hyuihyuihyuihyuihyuihyuihyuihyuihyuihyuihyu.site/Requestdefault.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://hyuihyuihyuihyuihyuihyuihyuihyuihyuihyuihyu.site/Requestdefault.php https://threatfox.abuse.ch/ioc/395141/

Intelligence

File Origin
# of uploads :
1
# of downloads :
247
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Downloader.10124.UNOFFICIAL
Create hunting rule

Win.Trojan.Injector-6297685-1
Create hunting rule

Win.Trojan.Agent-345883
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Creating a window
Creating a process with a hidden window
Launching a process
Sending a custom TCP request
DNS request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a file in the system32 subdirectories
Using the Windows Management Instrumentation requests
Running batch commands
Launching the process to interact with network services
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
coinminer evasive greyware packed scar shell32.dll
Link:
https://www.filescan.io/uploads/622f3ba1b94fb38cb47a9922/reports/23336088-c17f-4803-9b0c-43df294f2449/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
KeyBase
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8437b418-774d-480e-89e8-3185d547a624
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
66 / 100
Link:
https://www.joesandbox.com/analysis/956107
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an autostart registry key pointing to binary in C:\Windows
Creates multiple autostart registry keys
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
Obfuscated command line found
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Sigma detected: File Created with System Process Name
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 588585 Sample: KCR2JIl6tT.exe Startdate: 14/03/2022 Architecture: WINDOWS Score: 66 70 www3.l.google.com 2->70 72 www.msftncsi.com 2->72 74 19 other IPs or domains 2->74 80 Malicious sample detected (through community Yara rule) 2->80 82 Antivirus / Scanner detection for submitted sample 2->82 84 Multi AV Scanner detection for submitted file 2->84 86 9 other signatures 2->86 10 KCR2JIl6tT.exe 3 2->10         started        13 svchost.exe 2->13         started        16 svchost.exe 2->16         started        19 12 other processes 2->19 signatures3 process4 dnsIp5 48 C:\Users\user\AppData\...\sys_driver.exe, PE32 10->48 dropped 50 C:\...\Avira Phantom VPN 2.37.4.17510.exe, PE32 10->50 dropped 21 sys_driver.exe 15 4 10->21         started        26 Avira Phantom VPN 2.37.4.17510.exe 2 10->26         started        94 Changes security center settings (notifications, updates, antivirus, firewall) 13->94 68 127.0.0.1 unknown unknown 16->68 file6 signatures7 process8 dnsIp9 76 cdn.discordapp.com 162.159.130.233, 443, 49762 CLOUDFLARENETUS United States 21->76 78 192.168.2.1 unknown unknown 21->78 44 C:\ProgramData\dufosf7HpWmPb1dK.exe, PE32 21->44 dropped 88 Query firmware table information (likely to detect VMs) 21->88 90 Tries to detect sandboxes / dynamic malware analysis system (registry check) 21->90 28 dufosf7HpWmPb1dK.exe 5 19 21->28         started        32 WerFault.exe 21->32         started        34 WerFault.exe 21->34         started        46 C:\...\Avira Phantom VPN 2.37.4.17510.tmp, PE32 26->46 dropped 92 Obfuscated command line found 26->92 36 Avira Phantom VPN 2.37.4.17510.tmp 5 136 26->36         started        file10 signatures11 process12 file13 52 C:\Windows\System32\wshom\dwm.exe, PE32 28->52 dropped 54 C:\Windows\System32\...\fontdrvhost.exe, PE32 28->54 dropped 56 C:\Windows\System32\edpcsp\dllhost.exe, PE32 28->56 dropped 64 3 other files (1 malicious) 28->64 dropped 96 Creates multiple autostart registry keys 28->96 98 Drops executables to the windows directory (C:\Windows) and starts them 28->98 100 Creates an autostart registry key pointing to binary in C:\Windows 28->100 102 2 other signatures 28->102 58 C:\Users\user\AppData\...\syspin.exe (copy), PE32 36->58 dropped 60 C:\Users\user\AppData\Local\...\is-7TV09.tmp, PE32 36->60 dropped 62 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 36->62 dropped 66 75 other files (none is malicious) 36->66 dropped 38 net.exe 36->38         started        signatures14 process15 process16 40 conhost.exe 38->40         started        42 net1.exe 38->42         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8f2ff0367f882b4ba4f7d29d4e919bebad0c48519d245305af9a791e5b450a17/
Threat name:
Win32.Trojan.Fugrafa
Create hunting rule
Status:
Malicious
First seen:
2022-03-11 19:30:48 UTC
File Type:
PE (Exe)
Extracted files:
40
AV detection:
37 of 42 (88.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=r4x7ant7ravuxjhx2kou5em35owqyscrtusfgbnptj4r4w2fbilq._file
Verdict:
malicious
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat evasion infostealer persistence rat spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/220314-p6xssahdfq/
Behaviour
Creates scheduled task(s)
Modifies registry class
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
DcRat
Process spawned unexpected child process
suricata: ET MALWARE DCRAT Activity (GET)
Unpacked files
SH256 hash:
d19712d381fcd45e58d46e6a930d7827b5a5fb4434c8ee9ae1819fb03a0ba380
MD5 hash:
ffefe07d32cebf6470f6e577ea3cb0cb
SHA1 hash:
de26b82b1e32c67faff3227ca9d65e40914fddb6
Link:
https://www.unpac.me/results/7d134dc4-544b-46c5-8f2b-ce85c5585279/
SH256 hash:
af41154dd2456652fd8461e0039705105bde02f5563808209c1d050662fd206e
MD5 hash:
ff69e66b97da8d9e46a7b73cc60177a8
SHA1 hash:
6f5275a7d4eb3039de7a2d21c972a26f9be95526
Link:
https://www.unpac.me/results/7d134dc4-544b-46c5-8f2b-ce85c5585279/
SH256 hash:
0ce229bfd9c970f1ae008bddf6bf532a75ec76aa3b71ce74de8b241a6cab0493
MD5 hash:
ee0d4e165525a785c7eb09d4185c7138
SHA1 hash:
7c6af124e5ad95d7062640ed9895e52cc66083f3
Link:
https://www.unpac.me/results/7d134dc4-544b-46c5-8f2b-ce85c5585279/
SH256 hash:
dcb842f5e0da9d486cad34d4b809dcaadf9ec4d6991fdb22bdc9aea66489ad1a
MD5 hash:
c02a029c978f13b753c6b578b1588c75
SHA1 hash:
e125d59451e7f467bfd329a00a506decbcd91d83
Link:
https://www.unpac.me/results/7d134dc4-544b-46c5-8f2b-ce85c5585279/
SH256 hash:
f83e59b770434dc0f5e4e39ddc96476dee09428bf438af59cf880e221920b783
MD5 hash:
0f55a60e7fef669a4bd07255e1ffae4d
SHA1 hash:
ab1d32b9bf48fe049c00bcba2de0378f4fc939d9
Link:
https://www.unpac.me/results/7d134dc4-544b-46c5-8f2b-ce85c5585279/
SH256 hash:
f9608b8a80f7fcb77178e0f073cee04fe7b2aa51fa57f5a9ed9eb617c372efe6
MD5 hash:
4e60958c63aedd6240a99a03401903c0
SHA1 hash:
0d26d4337b7267703384f76f3d7e9c0c442cd799
Link:
https://www.unpac.me/results/7d134dc4-544b-46c5-8f2b-ce85c5585279/
SH256 hash:
8f2ff0367f882b4ba4f7d29d4e919bebad0c48519d245305af9a791e5b450a17
MD5 hash:
b2c8d8738599f3f590fbf1d4fbcc5c14
SHA1 hash:
7ee242b196f59a4667cf1c9a3f7f879d4c0dc10a
Link:
https://www.unpac.me/results/7d134dc4-544b-46c5-8f2b-ce85c5585279/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8f2ff0367f882b4ba4f7d29d4e919bebad0c48519d245305af9a791e5b450a17

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_Discord_Attachments_URL
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects a PE file that contains an Discord Attachments URL. This is often used by Malware to download further payloads
Rule name:SUSP_PE_Discord_Attachment_Oct21_1
Create hunting rule
Author:Florian Roth
Description:Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments