MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 92f8e37e5ef9e822c86f385e482f8a20de4da03d6f1e23739111214c5774319a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DCRat

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 7 File information Comments

SHA256 hash:	92f8e37e5ef9e822c86f385e482f8a20de4da03d6f1e23739111214c5774319a
SHA3-384 hash:	b52685d36293ef1a4b83ec86f96a5bdd113b94ba9a559c9e812d2af55dd1f14970e7396841266fb4d8e4f0de13b5151e
SHA1 hash:	c7bdb98e123cded9b5626ba6a1856a29fbda847a
MD5 hash:	e09927fbcae1919a4550198463579d08
humanhash:	nevada-aspen-dakota-ink
File name:	E09927FBCAE1919A4550198463579D08.exe
Download:	download sample
Signature	DCRat Create hunting rule
File size:	1'558'528 bytes
First seen:	2022-05-12 06:01:59 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2e5467cba76f44a088d39f78c5e807b6 (131 x DCRat, 112 x njrat, 79 x RedLineStealer)
ssdeep	24576:OxW/O0pdUs1jxSMUC3m9HfWejnJiXwAHj2pp/blvLvSgg+gshuIy4+x2D1mRVk4d:cWpdUsRxS6IuqnJu+ppTlvbSjsgY+x6w
Threatray	396 similar samples on MalwareBazaar
TLSH	T1E57533BDB42E68C4D426A2F275983B03C62D3DC39CD12AE157484D627E4582F9EF7893
TrID	27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 20.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.5% (.EXE) Win32 Executable (generic) (4505/5/1) 8.5% (.EXE) Win16/32 Executable Delphi generic (2072/23) 8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	abuse_ch
Tags:	DCRat exe

abuse_ch

DCRat C2:
http://31.184.249.5/Wordpress/4/packetLine8Linux/Geoprotoneternal/Vmlinux/CpuPolllinux_/Datalife3Temporary/9/0/PythonCentraltemporary.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://31.184.249.5/Wordpress/4/packetLine8Linux/Geoprotoneternal/Vmlinux/CpuPolllinux_/Datalife3Temporary/9/0/PythonCentraltemporary.php	https://threatfox.abuse.ch/ioc/550878/

Intelligence

File Origin

# of uploads :

# of downloads :

237

Origin country :

n/a

Vendor Threat Intelligence

Detection:

EnigmaStub

Link:

https://www.capesandbox.com/analysis/269825/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Changing a file

Creating a file

Using the Windows Management Instrumentation requests

Launching a process

Creating a file in the Program Files subdirectories

Creating a file in the Windows subdirectories

Creating a process from a recently created file

Blocking the User Account Control

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

enigma obfuscated packed

Link:

https://www.filescan.io/uploads/627ca2f813f1480a3a184a74/reports/3daa0068-07c8-4d99-9b62-1c3c934894b7/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8b753bcc-3a50-4496-8b67-6327468e8043

Result

Threat name:

DCRat

Detection:

malicious

Classification:

rans.troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/992384

Signature

.NET source code contains potential unpacker

.NET source code contains very large strings

Creates processes via WMI

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Drops PE files to the user root directory

Drops PE files with benign system names

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file has nameless sections

Uses schtasks.exe or at.exe to add and modify task schedules

Writes many files with high entropy

Yara detected DCRat

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/92f8e37e5ef9e822c86f385e482f8a20de4da03d6f1e23739111214c5774319a/

Threat name:

ByteCode-MSIL.Backdoor.DCRat

Status:

Malicious

First seen:

2022-05-08 21:33:53 UTC

File Type:

PE (Exe)

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=sl4og7s67hucfsdphbpeql4kedpe3ib5n4pcg44rcequyv3uggna._file

Verdict:

malicious

DCRat

5574e0b5e404aa5bad86dd9aca033eb35421ec30dd91a9777bd6b053514010d7

DCRat

7b0f445718f91d7d32669089ecf436c8cfc3639f756ef1d91f8ba5aa90c5145a

DCRat

7b21188396d28d8de129de2a44042a4d57b42afcb6fd826628e8b6637b071f89

DCRat

92f8e37e5ef9e822c86f385e482f8a20de4da03d6f1e23739111214c5774319a

DCRat

98d24f5a424b0b6d463d945404fa14ca7f8c2db3ecdd3defc2eeddbbcdc10f70

DCRat

992a54c553bf5b53990d181c24b9ba44b93bc9f02f5a3d42dbf4d1e1f57ead5f

DCRat

d810072e7363c14184f61fee52b2968f7394ed84a7bb1ff52dba033b30ce17e0

DCRat

+ 386 additional samples on MalwareBazaar

Result

Malware family:

dcrat

Score:

10/10

Tags:

family:dcrat evasion infostealer rat spyware stealer suricata trojan

Link:

https://tria.ge/reports/220512-grflysaff2/

Behaviour

Creates scheduled task(s)

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System policy modification

Enumerates physical storage devices

Drops file in Program Files directory

Drops file in Windows directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks whether UAC is enabled

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

DcRat

Process spawned unexpected child process

UAC bypass

suricata: ET MALWARE DCRAT Activity (GET)

Unpacked files

SH256 hash:

92f8e37e5ef9e822c86f385e482f8a20de4da03d6f1e23739111214c5774319a

MD5 hash:

e09927fbcae1919a4550198463579d08

SHA1 hash:

c7bdb98e123cded9b5626ba6a1856a29fbda847a

Link:

https://www.unpac.me/results/f1da09bd-109b-4688-9c14-69647d026822/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/92f8e37e5ef9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/92f8e37e5ef9e822c86f385e482f8a20de4da03d6f1e23739111214c5774319a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	EnigmaStub Create hunting rule
Author:	@bartblaze
Description:	Identifies Enigma packer stub.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing bas64 encoded gzip files

Rule name:	MALWARE_Win_DCRat Create hunting rule
Author:	ditekSHen
Description:	DCRat payload

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_XORed_URL_in_EXE Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/269825/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample