MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ad6085af7f01b081c9fc0faae17269441e151370782f045530d35bc5f682b20. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9ad6085af7f01b081c9fc0faae17269441e151370782f045530d35bc5f682b20
SHA3-384 hash: 86bf82e43636fa7f67479b66b1691bf32138c4fdfebae3d633418afb745a4f7f99dea65696c242d8bc37d641eb5836cb
SHA1 hash: a24d5dce982ed80f688cf9f2d2bebbbaef95355d
MD5 hash: 4d6d3fe497e8f168fdb47eee5a77f826
humanhash: artist-potato-winner-venus
File name:4d6d3fe497e8f168fdb47eee5a77f826.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:4'181'229 bytes
First seen:2024-07-16 19:05:17 UTC
Last seen:2024-07-24 19:31:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (390 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 98304:eDP495Xh1i5FMYVRXGLAUr6V/13Iv0he5d9xoZBj49:T95XTWFzGLAy6h5QQZBjS
Threatray 1'274 similar samples on MalwareBazaar
TLSH T10016E006B5924E32E2E42F71A4F7002D43B4DB227512DE1F3B1E6195ED422B19B2B6F7
TrID 74.5% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
16.2% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
2.9% (.EXE) Win64 Executable (generic) (10523/12/4)
1.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 40797161f1e17131 (1 x DCRat)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://92.63.101.139/externalVmPipetoProcessServerProtectCdn.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://92.63.101.139/externalVmPipetoProcessServerProtectCdn.php https://threatfox.abuse.ch/ioc/1301840/

Intelligence

File Origin
# of uploads :
2
# of downloads :
393
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30425.UnRegNetReactor.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.VBS.Encrypted.Gen.UNOFFICIAL
Create hunting rule

Win.Packed.Uztuby-10009381-0
Create hunting rule

Win.Packed.QuasarRAT-10014495-0
Create hunting rule

Win.Packed.Uztuby-10015036-0
Create hunting rule

Win.Packed.Uztuby-10015799-0
Create hunting rule

Win.Packed.Uztuby-10015902-0
Create hunting rule

Win.Packed.Uztuby-10017372-0
Create hunting rule

Win.Packed.Zusy-10023527-0
Create hunting rule

Win.Packed.Basic-10032438-0
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6696c49d2c29bed579a481e3win10vpnfull_triage
Tags:
Encryption Execution Network Static Stealth Trojan Msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Creating a file
Loading a suspicious library
Creating a file in the Program Files subdirectories
Creating a file in the Windows subdirectories
Using the Windows Management Instrumentation requests
Launching a process
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm dcrat epmicrosoft_visual_cc fingerprint installer lolbin microsoft_visual_cc overlay packed packed setupapi sfx shdocvw shell32
Link:
https://www.filescan.io/uploads/6696c49ca59c11b474e8f58a/reports/aeb82cab-531f-48a8-a019-50b18680b87a/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/9ad6085af7f01b081c9fc0faae17269441e151370782f045530d35bc5f682b20
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/3000f962-e1e5-4f99-a3c7-d1357eac3c92
Result
Threat name:
DCRat, PureLog Stealer, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1474424
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates processes via WMI
Drops executable to a common third party application directory
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Schedule system process
Sigma detected: System File Execution Location Anomaly
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1474424 Sample: pGQ1F8RaiV.exe Startdate: 16/07/2024 Architecture: WINDOWS Score: 100 68 198.187.3.20.in-addr.arpa 2->68 72 Snort IDS alert for network traffic 2->72 74 Antivirus detection for dropped file 2->74 76 Antivirus / Scanner detection for submitted sample 2->76 78 14 other signatures 2->78 11 pGQ1F8RaiV.exe 3 10 2->11         started        14 AWzHhzetQlxTNvcuIy.exe 15 54 2->14         started        18 AWzHhzetQlxTNvcuIy.exe 3 2->18         started        signatures3 process4 dnsIp5 56 C:\Users\user\...\SurrogateReviewSaves.exe, PE32 11->56 dropped 58 C:\Users\user\...\gYZihfjeXf37OmZ61LrB13.vbe, data 11->58 dropped 20 wscript.exe 1 11->20         started        70 92.63.101.139, 49712, 49713, 49714 THEFIRST-ASRU Russian Federation 14->70 60 C:\Users\user\Desktop\xaHfBekn.log, PE32 14->60 dropped 62 C:\Users\user\Desktop\ujRouhku.log, PE32 14->62 dropped 64 C:\Users\user\Desktop\ubhVQyJo.log, PE32 14->64 dropped 66 22 other malicious files 14->66 dropped 90 Tries to harvest and steal browser information (history, passwords, etc) 14->90 file6 signatures7 process8 signatures9 80 Windows Scripting host queries suspicious COM object (likely to drop second stage) 20->80 23 cmd.exe 1 20->23         started        process10 process11 25 SurrogateReviewSaves.exe 3 41 23->25         started        29 conhost.exe 23->29         started        file12 48 C:\Windows\PolicyDefinitions\en-US\smss.exe, PE32 25->48 dropped 50 C:\Users\user\Desktop\xFumrmnP.log, PE32 25->50 dropped 52 C:\Users\user\Desktop\vsUwEhER.log, PE32 25->52 dropped 54 28 other malicious files 25->54 dropped 82 Antivirus detection for dropped file 25->82 84 Multi AV Scanner detection for dropped file 25->84 86 Machine Learning detection for dropped file 25->86 88 4 other signatures 25->88 31 cmd.exe 25->31         started        34 schtasks.exe 25->34         started        36 schtasks.exe 25->36         started        38 13 other processes 25->38 signatures13 process14 signatures15 92 Uses ping.exe to sleep 31->92 94 Uses ping.exe to check the status of other devices and networks 31->94 40 conhost.exe 31->40         started        42 chcp.com 31->42         started        44 PING.EXE 31->44         started        46 winlogon.exe 31->46         started        process16
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9ad6085af7f01b081c9fc0faae17269441e151370782f045530d35bc5f682b20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9ad6085af7f01b081c9fc0faae17269441e151370782f045530d35bc5f682b20/
Threat name:
Win32.Trojan.Uztuby
Create hunting rule
Status:
Malicious
First seen:
2024-07-11 03:05:44 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tllaqwxx6anqqhe7yd5k4fzgsra6cujxa6bparktbu23yx3ifmqa._file
Verdict:
malicious
Similar samples:
108d7f9bf923a83ea595f3841a3ecb139268d2e56f6ed1122b08f04e9769d42f
DCRat
182a6cf870ad9d09e72bc36669dbd55306e964c11b7c63ebccd5406ae8e8556d
DCRat
29efde654a5474a8920dbde4cac0e1cb411eeec3c86a8888984bb077e5864ff3
DCRat
4f2efddecf32090500cebdfd8bea11d04511e72786b00186af04b68f5ecfacd1
DCRat
6bcf5705424ff9935c6dfd886e666af3cb2da930cfe82b0924b599f682b8f9bf
DCRat
842342b4db7bbc84d8e4da35f8d79d8b76a52815b7a22272f331ba906d2dba6c
DCRat
8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213
DCRat
bddcce49e362dfee4d32dea7ef2055a3d0004dc783afe9182b70747a9381d685
DCRat
d5a28fee15be369571b8c566a5846d9c55636d9b26dcc2be89acc3b5467715b2
DCRat
ff44f5f9b289210829eb1d740dcb04b19c762c5b08abd7f83510070dfe03490f
DCRat
+ 1'264 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/240716-xr23ysydqf/
Behaviour
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Process spawned unexpected child process
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/305f9417-20de-468e-9f87-9fa10016cd25
Unpacked files
SH256 hash:
2b93377ea087225820a9f8e4f331005a0c600d557242366f06e0c1eae003d669
MD5 hash:
d8bf2a0481c0a17a634d066a711c12e9
SHA1 hash:
7cc01a58831ed109f85b64fe4920278cedf3e38d
Link:
https://www.unpac.me/results/911080c5-cea8-4a81-88f6-8739562387fe/
SH256 hash:
f48ef12dd82334ae3492ffb6ec31eccd60a94e32266bbeecbc05c5281b5bb21c
MD5 hash:
fee9869cd22072682c5dc9f350853380
SHA1 hash:
085d0c0b5eb18546065372dc2ab1de5dd6a2b589
Link:
https://www.unpac.me/results/911080c5-cea8-4a81-88f6-8739562387fe/
SH256 hash:
3ee861001bcf58b99e487bb571950308b01bad2abdc1ce771417f1344684f99f
MD5 hash:
9a851fce7adb16a52e42f09b7531d42d
SHA1 hash:
3741d42107f25615884db06e4ba51435af6e0bea
Link:
https://www.unpac.me/results/911080c5-cea8-4a81-88f6-8739562387fe/
SH256 hash:
9ad6085af7f01b081c9fc0faae17269441e151370782f045530d35bc5f682b20
MD5 hash:
4d6d3fe497e8f168fdb47eee5a77f826
SHA1 hash:
a24d5dce982ed80f688cf9f2d2bebbbaef95355d
Link:
https://www.unpac.me/results/911080c5-cea8-4a81-88f6-8739562387fe/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9ad6085af7f01b081c9fc0faae17269441e151370782f045530d35bc5f682b20

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DotNet_Reactor
Create hunting rule
Author:@bartblaze
Description:Identifies .NET Reactor, which offers .NET code protection such as obfuscation, encryption and so on.
Rule name:INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with unregistered version of .NET Reactor
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PureCrypter
Create hunting rule
Author:@bartblaze
Description:Identifies PureCrypter, .NET loader and obfuscator.
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments