MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9cc0cf19e63fbf43ed381c94967a1c52a606452657cc05c17b27a1a07e2c5607. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9cc0cf19e63fbf43ed381c94967a1c52a606452657cc05c17b27a1a07e2c5607
SHA3-384 hash: 2d613c75df329d6678409cbe63a52cef7f03084afa5084072741466855aa2514f371946f462503ae400549d10edc09dd
SHA1 hash: e865abfec4ba14dab7561eba2f34e3bbb109b153
MD5 hash: fe23dc62734828f2dfb01dac7a854dbb
humanhash: pip-zulu-nineteen-hot
File name:fe23dc62734828f2dfb01dac7a854dbb.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:457'216 bytes
First seen:2021-08-01 07:01:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7182b1ea6f92adbf459a2c65d8d4dd9e (5 x CoinMiner, 4 x RedLineStealer, 4 x DCRat)
ssdeep 12288:QbjDhu9TfkDOhR4uS10bI80xy410YG62Ct6Fvt8jhzP7Nl:e1eTfkDOjNSWbGbG62CQFF8NLRl
Threatray 40 similar samples on MalwareBazaar
TLSH T152A4F166B1E01198DBB182F6C8921706E7B074711729A3CB1B7867B72B1B4D68F3D3E4
Reporter abuse_ch
Tags:DCRat exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'364
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fe23dc62734828f2dfb01dac7a854dbb.exe
Verdict:
No threats detected
Analysis date:
2021-08-01 07:08:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/38e0a876-516c-465f-b65c-5f39f3f0abcb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175548/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34126398.28157.2351.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/83644fcd-0831-49d2-80a5-60f077f9652a
Result
Threat name:
DCRat Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/825032
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Disables security and backup related services
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the user root directory
Drops PE files with benign system names
Found strings related to Crypto-Mining
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses schtasks.exe or at.exe to add and modify task schedules
Wscript starts Powershell (via cmd or directly)
Yara detected BatToExe compiled binary
Yara detected DCRat
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 457444 Sample: N45KX6gszh.exe Startdate: 01/08/2021 Architecture: WINDOWS Score: 100 127 45.137.190.236, 49727, 49728, 49729 BITWEB-ASRU Russian Federation 2->127 131 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->131 133 Multi AV Scanner detection for dropped file 2->133 135 Multi AV Scanner detection for submitted file 2->135 137 7 other signatures 2->137 11 N45KX6gszh.exe 9 2->11         started        14 Client.exe 2->14         started        17 svchost.exe 2->17         started        19 10 other processes 2->19 signatures3 process4 dnsIp5 121 C:\Users\user\AppData\Local\Temp\...\extd.exe, PE32+ 11->121 dropped 22 cmd.exe 3 11->22         started        177 Antivirus detection for dropped file 14->177 179 Multi AV Scanner detection for dropped file 14->179 181 Machine Learning detection for dropped file 14->181 183 Changes security center settings (notifications, updates, antivirus, firewall) 17->183 129 127.0.0.1 unknown unknown 19->129 file6 signatures7 process8 signatures9 149 Wscript starts Powershell (via cmd or directly) 22->149 151 Uses schtasks.exe or at.exe to add and modify task schedules 22->151 153 Adds a directory exclusion to Windows Defender 22->153 25 vbn.exe 22->25         started        29 welldone.exe 2 4 22->29         started        31 zxc.exe 1 18 22->31         started        33 8 other processes 22->33 process10 dnsIp11 95 C:\...\WinruntimedhcpNetcommon.exe, PE32 25->95 dropped 97 C:\Winruntimedhcp\VJt8Zy0BQ8pAy.bat, ASCII 25->97 dropped 159 Multi AV Scanner detection for dropped file 25->159 161 Machine Learning detection for dropped file 25->161 36 wscript.exe 25->36         started        99 C:\Users\user\AppData\...\MicrosoftApi.exe, PE32+ 29->99 dropped 163 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 29->163 39 MicrosoftApi.exe 1 5 29->39         started        42 sc.exe 29->42         started        44 conhost.exe 29->44         started        101 C:\Windows\Client.exe, PE32 31->101 dropped 103 C:\Users\user\AppData\Local\...\nsProcess.dll, PE32 31->103 dropped 105 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 31->105 dropped 165 Disables security and backup related services 31->165 46 cmd.exe 31->46         started        48 cmd.exe 31->48         started        50 cmd.exe 31->50         started        52 2 other processes 31->52 123 cdn.discordapp.com 162.159.135.233, 443, 49710, 49719 CLOUDFLARENETUS United States 33->123 125 192.168.2.1 unknown unknown 33->125 107 C:\Users\user\AppData\Local\Temp\...\zxc.exe, PE32 33->107 dropped 109 C:\Users\user\AppData\Local\...\welldone.exe, PE32+ 33->109 dropped 111 C:\Users\user\AppData\Local\Temp\...\vbn.exe, PE32 33->111 dropped 167 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 33->167 file12 signatures13 process14 file15 139 Wscript starts Powershell (via cmd or directly) 36->139 54 cmd.exe 36->54         started        93 C:\Users\user\AppData\...\tmp75B1.tmp.cmd, DOS 39->93 dropped 141 Multi AV Scanner detection for dropped file 39->141 143 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 39->143 145 Machine Learning detection for dropped file 39->145 56 cmd.exe 39->56         started        59 cmd.exe 39->59         started        147 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 42->147 61 net.exe 46->61         started        63 conhost.exe 46->63         started        65 net.exe 48->65         started        67 conhost.exe 48->67         started        69 2 other processes 50->69 71 2 other processes 52->71 signatures16 process17 signatures18 73 WinruntimedhcpNetcommon.exe 54->73         started        77 conhost.exe 54->77         started        155 Wscript starts Powershell (via cmd or directly) 56->155 157 Adds a directory exclusion to Windows Defender 56->157 79 conhost.exe 56->79         started        81 timeout.exe 56->81         started        83 powershell.exe 56->83         started        85 conhost.exe 59->85         started        91 2 other processes 59->91 87 net1.exe 61->87         started        89 net1.exe 65->89         started        process19 file20 113 C:\Winruntimedhcp\services.exe, PE32 73->113 dropped 115 C:\Winruntimedhcp\JLwJkPyZRd.exe, PE32 73->115 dropped 117 C:\Windows\System32\...\sihost.exe, PE32 73->117 dropped 119 4 other malicious files 73->119 dropped 169 Machine Learning detection for dropped file 73->169 171 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 73->171 173 Drops PE files to the user root directory 73->173 175 3 other signatures 73->175 signatures21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9cc0cf19e63fbf43ed381c94967a1c52a606452657cc05c17b27a1a07e2c5607/
Threat name:
Win64.Exploit.BypassUac
Create hunting rule
Status:
Malicious
First seen:
2021-07-31 18:05:17 UTC
AV detection:
17 of 46 (36.96%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
0284735896363aeae81486be25751824f82b385dd4b6150358ff9b68c36c71e2
DCRat
0389ffef740d3bd365f2b699ac006b478a5346a1dc2383e10fd5152771641c0b
DCRat
08e4ff0c3fd04510841e9f4e55ba0b3d2681d8f4c3405fd83dd9bbc4c2fa01d9
DCRat
33358691144fd04943b0de774643ba673448b6d7e616d482beb5200d09f9beeb
DCRat
6da210965cd769856bbcb8bb501abf25c832f0f6a70e73240436629ce6362fa9
DCRat
b9f86415d0c5348f3a7103dca2eff2528ca01c4a0e3c4b2d8092031ab327e35b
DCRat
c1f1b8f358e98ae14b424dd8d57e022b8dc68c7c5f14a8d3dea8f1e66601f351
DCRat
e94c70d3dc3ab2496465e73bffc7c5f1bc3963f3ae309a88d5e16d5e54a540ce
DCRat
+ 30 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
suricata upx
Link:
https://tria.ge/reports/210801-7hsfax2d7n/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
suricata: ET MALWARE Generic gate[.].php GET with minimal headers
suricata: ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad
Unpacked files
SH256 hash:
9cc0cf19e63fbf43ed381c94967a1c52a606452657cc05c17b27a1a07e2c5607
MD5 hash:
fe23dc62734828f2dfb01dac7a854dbb
SHA1 hash:
e865abfec4ba14dab7561eba2f34e3bbb109b153
Link:
https://www.unpac.me/results/a343b47d-69fd-4f21-9dc6-6d3ce6f2caa4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/9cc0cf19e63f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.53
Link:
https://yomi.yoroi.company/submissions/9cc0cf19e63fbf43ed381c94967a1c52a606452657cc05c17b27a1a07e2c5607

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe 9cc0cf19e63fbf43ed381c94967a1c52a606452657cc05c17b27a1a07e2c5607

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1493960/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/175548/

Comments