MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a69dc8355555a35e9eea92bbc016e0a2b3af19f696cb1e850bbce44ed6d6302f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a69dc8355555a35e9eea92bbc016e0a2b3af19f696cb1e850bbce44ed6d6302f
SHA3-384 hash: 3dbd47937225bbfbb643a3941dc1f68ded859fa79768c6d676f8735e57dfeac16aa658062fc7cb963f542f41bb82fe07
SHA1 hash: c5e25c1e02715adaae080142acd2acaab3a11ba0
MD5 hash: 1ed0df983721ede9cfb0faef8b515316
humanhash: eight-sixteen-double-alanine
File name:1ed0df983721ede9cfb0faef8b515316
Download: download sample
Signature DCRat
Create hunting rule
File size:1'571'712 bytes
First seen:2021-12-02 22:49:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 64574aa671b8a2458daacf02c03c4bf2 (1 x DCRat)
ssdeep 24576:UEkR2+JVugZwyYdZW2lWQsKE70A5wnWCSxECBE3NkJe:xzmDCyYdZwKEndCSxbBEdk
Threatray 317 similar samples on MalwareBazaar
TLSH T15475D05852B91BC6C2C2F436E9007906F8AF85BE3E6A525238553C6F3BF505FC37A219
File icon (PE):PE icon
dhash icon 0002318ef0338c00 (1 x DCRat)
Reporter zbetcheckin
Tags:32 DCRat exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://199.192.28.234/Topythongenerator.php https://threatfox.abuse.ch/ioc/258830/

Intelligence

File Origin
# of uploads :
1
# of downloads :
194
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1ed0df983721ede9cfb0faef8b515316
Verdict:
Malicious activity
Analysis date:
2021-12-02 22:51:06 UTC
Tags:
trojan rat backdoor dcrat
Link:
https://app.any.run/tasks/502bfe3c-4ae5-4478-94c2-67ffd7e18c2b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/210878/
Detection(s):
SecuriteInfo.com.Variant.Doina.29474.3921.5322.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
Creating a file in the Windows subdirectories
Using the Windows Management Instrumentation requests
Creating a file in the Program Files subdirectories
Creating a file
Creating a file in the %temp% directory
DNS request
Running batch commands
Creating a process with a hidden window
Sending a UDP request
Sending a custom TCP request
Creating a process from a recently created file
Sending an HTTP GET request
Searching for synchronization primitives
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/603/overview
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61a94d9dfa72c81b5b0863c7/reports/de7ebbcb-b7a5-46eb-955a-f75216980299/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/00a20d83-5310-4dec-98b1-9e349a28d69f
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/900561
Signature
Creates processes via WMI
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Tries to evade analysis by execution special instruction which cause usermode exception
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 533035 Sample: 3bLqSInklo Startdate: 02/12/2021 Architecture: WINDOWS Score: 100 35 Found malware configuration 2->35 37 Yara detected DCRat 2->37 39 Machine Learning detection for sample 2->39 41 4 other signatures 2->41 6 3bLqSInklo.exe 9 36 2->6         started        10 smss.exe 3 2->10         started        12 explorer.exe 3 2->12         started        14 10 other processes 2->14 process3 file4 19 C:\Windows\SysWOW64\wbem\...\WmiPrvSE.exe, PE32 6->19 dropped 21 C:\Windows\SysWOW64\ntshrui\fontdrvhost.exe, PE32 6->21 dropped 23 C:\Windows\...\ApplicationFrameHost.exe, PE32 6->23 dropped 25 15 other files (14 malicious) 6->25 dropped 43 Detected unpacking (changes PE section rights) 6->43 45 Query firmware table information (likely to detect VMs) 6->45 47 Drops executables to the windows directory (C:\Windows) and starts them 6->47 53 2 other signatures 6->53 16 backgroundTaskHost.exe 3 6->16         started        49 Machine Learning detection for dropped file 10->49 51 Tries to evade analysis by execution special instruction which cause usermode exception 10->51 signatures5 process6 signatures7 27 Detected unpacking (changes PE section rights) 16->27 29 Query firmware table information (likely to detect VMs) 16->29 31 Machine Learning detection for dropped file 16->31 33 Tries to evade analysis by execution special instruction which cause usermode exception 16->33
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a69dc8355555a35e9eea92bbc016e0a2b3af19f696cb1e850bbce44ed6d6302f/
Threat name:
Win32.Trojan.Lazy
Create hunting rule
Status:
Malicious
First seen:
2021-12-02 22:50:18 UTC
File Type:
PE (Exe)
Extracted files:
40
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u2o4qnkvkwrv5hxksk54afxaukz26gpws3fr5bilxtse5vwwgaxq._file
Verdict:
malicious
Similar samples:
0757a3b97f39c1d8a6c3d94770762a3912304cfaffa0330761945acd7f236213
DCRat
17bcd0d6b5dc246919d2a407ca7f14a6f6564f31fd07bb044ef4cda484b89bd3
DCRat
49f8f8d74fc5f81ada3b288e56297334e35d07b0fc912f73aa9ba1b971639937
DCRat
65dee75f5d4f0d7e0c1065a689ebe79f67c87a4d3d9654193164128e859a0ddd
DCRat
6fd54cbf5a13356a0ecdd8b7ebda8cfee120e5a5ffc6efea36b096b273ac09b7
DCRat
99b234ed5fcab5f1e2ebbc0a26fd5e94a3efa69fadb275065592ea7cba636e16
DCRat
cba27621d4b7c92fd50bf37135e150b45097ca9306061ed7049f802047bbd1b9
DCRat
f98183a2ad674f8aae6ad47e7da8b48c80175148ba333f0f57b3e6eca64bfaa6
DCRat
+ 307 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence suricata
Link:
https://tria.ge/reports/211202-2r9j9acdgr/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in System32 directory
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Process spawned unexpected child process
suricata: ET MALWARE DCRAT Activity (GET)
Unpacked files
SH256 hash:
0ff74d9a4b75231a22bfa23c25b938858c5cf92ab7389cc2d2e45980d19fafad
MD5 hash:
30fa87d6738645d795ca960535b2f5f9
SHA1 hash:
06f85c33eca595e276f64978c6f454bcf01c894b
Link:
https://www.unpac.me/results/d9c000f9-ca7f-4b0b-a7db-ff4acdbaf4b6/
SH256 hash:
210000115af677607edbc54d303ed248828adc0880ea68bc8660fc8f42cd3202
MD5 hash:
06ef33dd1cb2f753ab32621989086d34
SHA1 hash:
1f9bf6536ee0499e98723261b673f2659b58d067
Link:
https://www.unpac.me/results/d9c000f9-ca7f-4b0b-a7db-ff4acdbaf4b6/
SH256 hash:
a69dc8355555a35e9eea92bbc016e0a2b3af19f696cb1e850bbce44ed6d6302f
MD5 hash:
1ed0df983721ede9cfb0faef8b515316
SHA1 hash:
c5e25c1e02715adaae080142acd2acaab3a11ba0
Link:
https://www.unpac.me/results/d9c000f9-ca7f-4b0b-a7db-ff4acdbaf4b6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a69dc8355555a35e9eea92bbc016e0a2b3af19f696cb1e850bbce44ed6d6302f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe a69dc8355555a35e9eea92bbc016e0a2b3af19f696cb1e850bbce44ed6d6302f

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/210878/
  
URLhaus
https://urlhaus.abuse.ch/url/1845888/

Comments


Avatar
zbet commented on 2021-12-02 22:49:09 UTC

url : hxxp://host-file-host-3.com/files/7222_1638425720_2593.exe