MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a71a36b9a00cdbc6d3e38450fb87932cbb4f34a1e94eab9c7a2dd352c00be20d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DCRat

Vendor detections: 15

Intelligence 15 IOCs YARA 3 File information Comments

SHA256 hash:	a71a36b9a00cdbc6d3e38450fb87932cbb4f34a1e94eab9c7a2dd352c00be20d
SHA3-384 hash:	12d8f4cc47ce57b053f5f63f0d4f6319590644ef3b90d98b76bf6f8b52f2506d85a443028dec69d3665335e600955496
SHA1 hash:	03d37834753cd54b68599ab52549dda02b8fedff
MD5 hash:	4f63ea954c2e85753890beeb2c0c9bf4
humanhash:	march-coffee-washington-west
File name:	4f63ea954c2e85753890beeb2c0c9bf4.exe
Download:	download sample
Signature	DCRat Create hunting rule
File size:	1'410'127 bytes
First seen:	2023-02-15 03:04:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fcf1390e9ce472c7270447fc5c61a0c1 (866 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep	24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Threatray	5'442 similar samples on MalwareBazaar
TLSH	T136657C01BE40CA11F0191633C3FF465847B4AD112AA6E71B7EB937AD5522393BE1CADB
TrID	54.2% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39) 40.3% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 2.1% (.EXE) Win64 Executable (generic) (10523/12/4) 1.0% (.EXE) Win16 NE executable (generic) (5038/12/1) 0.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter	abuse_ch
Tags:	DCRat exe

abuse_ch

DCRat C2:
http://vbhfghgfjjfgd.online/asyncgeneratorDefault/voiddb/2SqlImage/bigload1/protectLine/ProcessorpacketEternaltest/Packet/1http1Dump/geo/lowDownloads_8/privateDatalife/9962/pythonupdateAuthtraffic.php

Intelligence

File Origin

# of uploads :

# of downloads :

227

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

dcrat

ID:

File name:

4f63ea954c2e85753890beeb2c0c9bf4.exe

Verdict:

Malicious activity

Analysis date:

2023-02-15 03:05:06 UTC

Tags:

trojan rat backdoor dcrat

Link:

https://app.any.run/tasks/2462e251-57f3-405c-b2c0-9c0b4015229c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

DCRat

Link:

https://www.capesandbox.com/analysis/366291/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file

Creating a process from a recently created file

Sending a custom TCP request

Running batch commands

Creating a process with a hidden window

Creating a file in the Program Files subdirectories

Using the Windows Management Instrumentation requests

Launching a process

Creating a file in the Windows subdirectories

Unauthorized injection to a recently created process

Enabling autorun by creating a file

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/70114/overview

Behaviour

MalwareBazaar

MeasuringTime

EvasionQueryPerformanceCounter

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-vm greyware makop overlay packed packed setupapi.dll shdocvw.dll shell32.dll

Link:

https://www.filescan.io/uploads/63ec4be197e87dd9097fac03/reports/fc20ee28-9ed2-417b-9f0c-603cce986515/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/a71a36b9a00cdbc6d3e38450fb87932cbb4f34a1e94eab9c7a2dd352c00be20d

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5e207eea-a9fa-481e-b4fc-92ad8b06fb1f

Result

Threat name:

DCRat

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1175198

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a71a36b9a00cdbc6d3e38450fb87932cbb4f34a1e94eab9c7a2dd352c00be20d/

Threat name:

ByteCode-MSIL.Backdoor.DCRat

Status:

Malicious

First seen:

2023-02-09 17:59:35 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

30 of 39 (76.92%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=u4ndnonabtn4nu7dqripxb4tfs5u6nfb5fhkxhd2fxjvfqal4igq._file

Verdict:

malicious

DCRat

44c9a4a9ee95355817cb806bb72bf18e2007b036b81d2e3dcfbb4986f05aefd6

DCRat

6d46b5019e2ff15d922d83d923dc3d97490a7e4e6e14d263db67d8a72bf64849

DCRat

84dcb40e0aa6be8d21ef8e9dd4506c7896c42e77a51cb5f665e7b8ac5cfdcf9d

DCRat

9d7dff299353f51792a9730966950685b2db5e01a015790905a39f3493de1dcd

DCRat

ae9e9907092ac66c4bdb0c244eb015f381662fe23d8bf42c45e669c5c4ae3666

DCRat

dbf3b5a8edd99c33f86f18c28c6dc8934d2887bd8e4c036daf86aa4429394466

DCRat

fcd0dd18eb691a08d2821fd506ce7eb1ffa2383d6bebb49cc7dd2c70b197176e

DCRat

+ 5'432 additional samples on MalwareBazaar

Result

Malware family:

dcrat

Score:

10/10

Tags:

family:dcrat infostealer rat

Link:

https://tria.ge/reports/230215-dk6ysahh28/

Behaviour

Creates scheduled task(s)

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Drops file in Windows directory

Legitimate hosting services abused for malware hosting/C2

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

DCRat payload

DcRat

Process spawned unexpected child process

Unpacked files

SH256 hash:

ced608d5f5826533e8b2df84558a3c460ba46ae716a15f99e4b4b67fbc06c106

MD5 hash:

6eb8cc11833900eae9eab4125de7dc55

SHA1 hash:

ac475d0a76ed27798bebd7b66e5801a3feac9d35

Link:

https://www.unpac.me/results/c7f5fd0f-143f-4292-81f4-dcfb11124b3b/

SH256 hash:

64fd100aa3a68d0940b1c49162e446d12cfea13e80d842ef51d8c9bd38e823a2

MD5 hash:

d3e64e5e16fb9481fac7940b0e3b8bd5

SHA1 hash:

6079bc012333fabd9ac0c7e4bd7b6f1b7f661a75

Link:

https://www.unpac.me/results/c7f5fd0f-143f-4292-81f4-dcfb11124b3b/

SH256 hash:

b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

MD5 hash:

bd31e94b4143c4ce49c17d3af46bcad0

SHA1 hash:

f8c51ff3ff909531d9469d4ba1bbabae101853ff

Link:

https://www.unpac.me/results/c7f5fd0f-143f-4292-81f4-dcfb11124b3b/

SH256 hash:

a71a36b9a00cdbc6d3e38450fb87932cbb4f34a1e94eab9c7a2dd352c00be20d

MD5 hash:

4f63ea954c2e85753890beeb2c0c9bf4

SHA1 hash:

03d37834753cd54b68599ab52549dda02b8fedff

Link:

https://www.unpac.me/results/c7f5fd0f-143f-4292-81f4-dcfb11124b3b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a71a36b9a00cdbc6d3e38450fb87932cbb4f34a1e94eab9c7a2dd352c00be20d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	sfx_pdb Create hunting rule
Author:	@razvialex
Description:	Detect interesting files containing sfx with pdb paths.

Rule name:	sfx_pdb_winrar_restrict Create hunting rule
Author:	@razvialex
Description:	Detect interesting files containing sfx with pdb paths.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/366291/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample