MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a90d4531fae78e92972e98a3c12d50c2bbdc167e6c89ec1e06857042719b5969. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 14


Intelligence 14 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a90d4531fae78e92972e98a3c12d50c2bbdc167e6c89ec1e06857042719b5969
SHA3-384 hash: d0d7de4bf56fe91237bed3dcff96f055337c2a9b26340ce6115f3d1e3c7a0406a408d51a4fdc47b759752fe79b76fd0b
SHA1 hash: e80d60c0e6613c8e3cafdea39f3d58ac371b9055
MD5 hash: 645e43f289d69eba2356844740bb125e
humanhash: speaker-yankee-blue-johnny
File name:A90D4531FAE78E92972E98A3C12D50C2BBDC167E6C89E.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:2'715'837 bytes
First seen:2023-02-06 17:05:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (871 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 49152:UbA3016mCPkOms7Xp8ry+wHhJ1MdjPiVpgTqWAzDAn9nZoPHPJTw1ga2U:UbwmCPkOmOppJ1qPHqW6EhG3JTwx7
TLSH T1EFC5CF017E44CA21F0192233C2EF464487B4AC552BA7E72B79BA377E65163937C0DADB
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://802560.clmonth.nyashteam.top/nyashsupport.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
215
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
A90D4531FAE78E92972E98A3C12D50C2BBDC167E6C89E.exe
Verdict:
Malicious activity
Analysis date:
2023-02-06 17:10:13 UTC
Tags:
trojan rat backdoor dcrat
Link:
https://app.any.run/tasks/f8d44a36-727b-43b3-8a70-b20e140aa2e6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/360993/
Detection(s):
SecuriteInfo.com.VBS.Encrypted.Gen.UNOFFICIAL
Create hunting rule

Win.Trojan.Uztuby-9855059-0
Create hunting rule

Win.Ransomware.Clinix-9868408-0
Create hunting rule

Win.Packed.Msilmamut-9950860-0
Create hunting rule

Win.Packed.Basic-9952747-0
Create hunting rule

Win.Packed.Uztuby-9963900-0
Create hunting rule

Win.Packed.Uztuby-9969968-0
Create hunting rule

Win.Malware.Uztuby-9972880-0
Create hunting rule

Win.Trojan.DarkKomet-9976180-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Creating a file in the Program Files subdirectories
Using the Windows Management Instrumentation requests
Launching a process
Creating a file in the Windows subdirectories
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/65859/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm dcrat greyware overlay packed packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/63e1337d89bd67c10fdccd57/reports/5fc3a68f-6ee7-4807-a620-26ecd308cb46/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/a90d4531fae78e92972e98a3c12d50c2bbdc167e6c89ec1e06857042719b5969
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1340315a-c689-4d41-ac41-f887cd5354bf
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1166884
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 799655 Sample: A90D4531FAE78E92972E98A3C12... Startdate: 06/02/2023 Architecture: WINDOWS Score: 100 41 Antivirus detection for URL or domain 2->41 43 Antivirus detection for dropped file 2->43 45 Antivirus / Scanner detection for submitted sample 2->45 47 7 other signatures 2->47 8 A90D4531FAE78E92972E98A3C12D50C2BBDC167E6C89E.exe 3 7 2->8         started        11 ghHcIDFQzaulXEHYUrqswJMsq.exe 3 2->11         started        13 ghHcIDFQzaulXEHYUrqswJMsq.exe 2 2->13         started        15 23 other processes 2->15 process3 file4 37 C:\HyperAgentsvc\MssurrogateBroker.exe, PE32 8->37 dropped 39 C:\HyperAgentsvc\y12sq2.vbe, data 8->39 dropped 17 wscript.exe 1 8->17         started        19 wscript.exe 8->19         started        process5 process6 21 cmd.exe 1 17->21         started        process7 23 MssurrogateBroker.exe 1 18 21->23         started        27 conhost.exe 21->27         started        file8 29 C:\Windows\Speech_OneCore\RuntimeBroker.exe, PE32 23->29 dropped 31 C:\Users\user\AppData\Local\...\lsass.exe, PE32 23->31 dropped 33 C:\Users\Public\...\RuntimeBroker.exe, PE32 23->33 dropped 35 4 other malicious files 23->35 dropped 49 Antivirus detection for dropped file 23->49 51 Multi AV Scanner detection for dropped file 23->51 53 Machine Learning detection for dropped file 23->53 55 2 other signatures 23->55 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a90d4531fae78e92972e98a3c12d50c2bbdc167e6c89ec1e06857042719b5969/
Threat name:
ByteCode-MSIL.Trojan.Uztuby
Create hunting rule
Status:
Malicious
First seen:
2023-01-02 14:30:53 UTC
File Type:
PE (Exe)
Extracted files:
22
AV detection:
29 of 39 (74.36%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vegukmp246hjffzotcr4clkqyk55yft6nse6yhqgqvyee4m3lfuq._file
Verdict:
malicious
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer rat
Link:
https://tria.ge/reports/230206-vmdtfsfa47/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
DCRat payload
DcRat
Process spawned unexpected child process
Unpacked files
SH256 hash:
f03e183ed0ff056dd2149227128e8492e0a561034b7f639a0b9012838f3374f8
MD5 hash:
611ff63acccc86f72b59c6ada4e30ffb
SHA1 hash:
fc1db0b3269e7020b58b072af17b9b42e645012d
Link:
https://www.unpac.me/results/93ee1ee9-7e92-4a01-b858-64a527382a83/
SH256 hash:
b0dd7e37e5ef4883f0b1daa4fd4b7371b457f4c20bce5c67614afc711c3d84e2
MD5 hash:
df352116bf6a3903db98c85460b5b547
SHA1 hash:
f1f90b4c5e9f9bc81ae1941d46920469a3af3792
Link:
https://www.unpac.me/results/93ee1ee9-7e92-4a01-b858-64a527382a83/
SH256 hash:
a90d4531fae78e92972e98a3c12d50c2bbdc167e6c89ec1e06857042719b5969
MD5 hash:
645e43f289d69eba2356844740bb125e
SHA1 hash:
e80d60c0e6613c8e3cafdea39f3d58ac371b9055
Link:
https://www.unpac.me/results/93ee1ee9-7e92-4a01-b858-64a527382a83/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a90d4531fae78e92972e98a3c12d50c2bbdc167e6c89ec1e06857042719b5969

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule
Rule name:NETDIC208_NOCEX_NOREACTOR
Create hunting rule
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:sfx_pdb_winrar_restrict
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/360993/

Comments