MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b95da950b192a24ecf7fdd74fb8e2020a5f89e48b6193f5042321b7050447b10. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 13


Intelligence 13 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b95da950b192a24ecf7fdd74fb8e2020a5f89e48b6193f5042321b7050447b10
SHA3-384 hash: 5f2625bfdae7786cadb1b6b5245cccf00208591a29baddc93de15bd8d45db0324cb653865e405a2200bc8806b8a8173e
SHA1 hash: dfbcc8230ec7d9be9c8801006300fdd9c52a1562
MD5 hash: d7b1a729706256c6bb7f9f4c1d7a5e92
humanhash: spring-juliet-football-indigo
File name:B95DA950B192A24ECF7FDD74FB8E2020A5F89E48B6193.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:4'134'626 bytes
First seen:2023-11-23 21:55:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (389 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 98304:y0stsjKHjNrzegRsX9NGIXbcMgzGt24EPd2eBMEQWCT3OJox8Tn1Ta:vstsWjopNNGL/St24i2eBdzvOx8Tn1a
Threatray 819 similar samples on MalwareBazaar
TLSH T11316F10665624A73D2D53F3284DB045E53B5EB727612EF0B3A2E50D5EE86630DF223B2
TrID 53.5% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
39.8% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
2.1% (.EXE) Win64 Executable (generic) (10523/12/4)
1.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://82.146.33.89/TrackAsyncbase7/defaultVm/PublicprotonProvider/VoiddbsqlpollBetter/03temporaryEternal/server/9Wp1Wordpress/updateDatalife2/Private/Javascript/publicgeo2/ExternallinesecureprocessLongpollLinuxWppublicDownloads.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
376
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/459921/
Detection(s):
SecuriteInfo.com.VBS.Encrypted.Gen.UNOFFICIAL
Create hunting rule

Win.Trojan.Uztuby-9855059-0
Create hunting rule

Win.Packed.Uztuby-10009381-0
Create hunting rule

Win.Packed.Uztuby-10015036-0
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Loading a suspicious library
Creating a file in the Program Files subdirectories
Creating a file in the Windows subdirectories
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Adding an exclusion to Microsoft Defender
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm greyware installer lolbin overlay packed packed replace setupapi sfx shdocvw shell32 wscript
Link:
https://www.filescan.io/uploads/655fca731dea9b05c3c9bb43/reports/799e2c48-64a5-4fc6-8026-1896f66029e5/overview
Verdict:
Malicious
Labled as:
Trojan.MSIL.Basic.8.Gen;Trojan.Uztuby
Link:
https://www.hybrid-analysis.com/sample/b95da950b192a24ecf7fdd74fb8e2020a5f89e48b6193f5042321b7050447b10
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c9b1de38-28bd-4a0f-bccf-ac193efa2b24
Result
Threat name:
DCRat, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1347120
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Drops executable to a common third party application directory
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected DCRat
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1347120 Sample: B95DA950B192A24ECF7FDD74FB8... Startdate: 23/11/2023 Architecture: WINDOWS Score: 100 105 Snort IDS alert for network traffic 2->105 107 Antivirus detection for URL or domain 2->107 109 Antivirus detection for dropped file 2->109 111 7 other signatures 2->111 14 B95DA950B192A24ECF7FDD74FB8E2020A5F89E48B6193.exe 3 6 2->14         started        process3 file4 97 C:\SessionSvc\Blockcomwebwincommon.exe, PE32 14->97 dropped 99 31eMix2CA2xtln1ERL...MSfm5SgXXuBlcYs.vbe, data 14->99 dropped 17 wscript.exe 1 14->17         started        process5 signatures6 103 Windows Scripting host queries suspicious COM object (likely to drop second stage) 17->103 20 cmd.exe 17->20         started        process7 process8 22 Blockcomwebwincommon.exe 3 41 20->22         started        26 conhost.exe 20->26         started        file9 73 C:\Users\user\Desktop\ydUDqLIb.log, PE32 22->73 dropped 75 C:\Users\user\Desktop\xpQuExMd.log, PE32 22->75 dropped 77 C:\Users\user\Desktop\wsomixxi.log, PE32 22->77 dropped 79 28 other malicious files 22->79 dropped 113 Antivirus detection for dropped file 22->113 115 Multi AV Scanner detection for dropped file 22->115 117 Machine Learning detection for dropped file 22->117 119 2 other signatures 22->119 28 cmd.exe 22->28         started        31 powershell.exe 23 22->31         started        33 powershell.exe 23 22->33         started        35 16 other processes 22->35 signatures10 process11 signatures12 125 Uses ping.exe to sleep 28->125 127 Uses ping.exe to check the status of other devices and networks 28->127 37 ULejXjybRhKScnhNNIelcvqvjmPn.exe 28->37         started        42 conhost.exe 28->42         started        54 2 other processes 28->54 44 conhost.exe 31->44         started        46 conhost.exe 33->46         started        48 conhost.exe 35->48         started        50 conhost.exe 35->50         started        52 conhost.exe 35->52         started        56 13 other processes 35->56 process13 dnsIp14 101 82.146.33.89, 49735, 49736, 49738 THEFIRST-ASRU Russian Federation 37->101 81 C:\Users\user\Desktop\vyKVIZST.log, PE32 37->81 dropped 83 C:\Users\user\Desktop\uGuonItY.log, PE32 37->83 dropped 85 C:\Users\user\Desktop\rIUfBcSZ.log, PE32 37->85 dropped 87 23 other malicious files 37->87 dropped 121 Multi AV Scanner detection for dropped file 37->121 123 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 37->123 58 cmd.exe 37->58         started        file15 signatures16 process17 process18 60 ULejXjybRhKScnhNNIelcvqvjmPn.exe 58->60         started        63 conhost.exe 58->63         started        65 chcp.com 58->65         started        67 w32tm.exe 58->67         started        file19 89 C:\Users\user\Desktop\wqdonYrk.log, PE32 60->89 dropped 91 C:\Users\user\Desktop\uxOFBcGm.log, PE32 60->91 dropped 93 C:\Users\user\Desktop\sAnxgcrr.log, PE32 60->93 dropped 95 23 other malicious files 60->95 dropped 69 cmd.exe 60->69         started        process20 process21 71 conhost.exe 69->71         started       
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b95da950b192a24ecf7fdd74fb8e2020a5f89e48b6193f5042321b7050447b10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b95da950b192a24ecf7fdd74fb8e2020a5f89e48b6193f5042321b7050447b10/
Threat name:
ByteCode-MSIL.Trojan.Uztuby
Create hunting rule
Status:
Malicious
First seen:
2023-09-21 23:42:40 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xfo2sufrskre5t373v2pxdraecs7rhsiwymt6uccginxaucepmia._file
Verdict:
malicious
Similar samples:
24471a5441763eca34eb78d690343b58468465c0c031a1ad3a7e71525d27fdcb
DCRat
337c4fd53d4d48999ba1eb062bead9abef2ea2939a880287d9334c6ddd0da754
DCRat
39ba27ddda1d3fe75d11abc68af9953848c5c6887039f30910587208103a8d4d
DCRat
9423f5e024018b8fcc51b5e8ac1aa39fa8bac5204b10495708693902cf381139
DCRat
96cd2c662aac016badbfbf78754711578725ca5f206b5a6a37da1aa20521fea2
DCRat
b95da950b192a24ecf7fdd74fb8e2020a5f89e48b6193f5042321b7050447b10
DCRat
+ 809 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat rat
Link:
https://tria.ge/reports/231123-1tbwbsce98/
Behaviour
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
7a080d8bd178ec02c7f39f7f941479074c450c4fdd8e963c993d2fb5537c7708
MD5 hash:
16b480082780cc1d8c23fb05468f64e7
SHA1 hash:
6fddf86f9f0fbaa189f5cb79e44999a3f1ac2b26
Link:
https://www.unpac.me/results/aab50a7e-8c69-45d3-a5e0-8624c46d396c/
SH256 hash:
7c95d3b38114e7e4126cb63aadaf80085ed5461ab0868d2365dd6a18c946ea3a
MD5 hash:
e9ce850db4350471a62cc24acb83e859
SHA1 hash:
55cdf06c2ce88bbd94acde82f3fea0d368e7ddc6
Link:
https://www.unpac.me/results/aab50a7e-8c69-45d3-a5e0-8624c46d396c/
SH256 hash:
b95da950b192a24ecf7fdd74fb8e2020a5f89e48b6193f5042321b7050447b10
MD5 hash:
d7b1a729706256c6bb7f9f4c1d7a5e92
SHA1 hash:
dfbcc8230ec7d9be9c8801006300fdd9c52a1562
Detections:
INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Link:
https://www.unpac.me/results/aab50a7e-8c69-45d3-a5e0-8624c46d396c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b95da950b192a24ecf7fdd74fb8e2020a5f89e48b6193f5042321b7050447b10

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with unregistered version of .NET Reactor
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/459921/

Comments