MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb55fcf1625411295d87059f3116db4109ef0783504fbce9c5eca05ef72d45e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb55fcf1625411295d87059f3116db4109ef0783504fbce9c5eca05ef72d45e0
SHA3-384 hash: 9500a8054397e15a286dd92e250b3bdf801a57ba4390021076c3cb142e7848b4f28b9dbc9b6fb455ea9da1c812af9a8f
SHA1 hash: 11c37efc381af0689178a7074035c90cabb25789
MD5 hash: deaa91e13bfb55bf8254aec4daa20a0b
humanhash: victor-yellow-cola-oscar
File name:DEAA91E13BFB55BF8254AEC4DAA20A0B.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:3'402'966 bytes
First seen:2021-07-12 19:32:16 UTC
Last seen:2022-07-11 12:16:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 49152:dahkAMBDKkHOPgWhC14dwmfGlIDEXZpPtJUs2waAW+wHTGWIUnz:d9AMB2QO/0yfUIYXbH2+wH5z
Threatray 64 similar samples on MalwareBazaar
TLSH T1EDF5DE62E07CCCE5EA551E3B2F4AA37219D760704E22DB425282EE39E5742EC3DC5DB4
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://37.230.116.78/searcherpluginServerrule/pool/Math/recordlogPythonrule/Djangotrace/processBigload.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://37.230.116.78/searcherpluginServerrule/pool/Math/recordlogPythonrule/Djangotrace/processBigload.php https://threatfox.abuse.ch/ioc/159898/

Intelligence

File Origin
# of uploads :
2
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DEAA91E13BFB55BF8254AEC4DAA20A0B.exe
Verdict:
Malicious activity
Analysis date:
2021-07-12 19:36:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d384b9d2-9a01-48a5-a5dd-6bc87b89cafb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/171181/
Detection(s):
Win.Malware.Generic-9872030-0
Create hunting rule

Win.Malware.Generic-9874383-0
Create hunting rule

SecuriteInfo.com.BackDoor.SiggenNET.5.27436.8753.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/76cbb10b-2d5d-4353-80ea-be66eb52b0ff
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/815123
Signature
Antivirus detection for dropped file
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Schedule system process
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 447534 Sample: cyRQAYp71N.exe Startdate: 12/07/2021 Architecture: WINDOWS Score: 100 58 ipinfo.io 2->58 60 ip-api.com 2->60 76 Found malware configuration 2->76 78 Multi AV Scanner detection for dropped file 2->78 80 Multi AV Scanner detection for submitted file 2->80 82 6 other signatures 2->82 9 cyRQAYp71N.exe 11 2->9         started        12 Registry.exe 3 2->12         started        15 powershell.exe 2->15         started        signatures3 process4 file5 50 C:\Users\user\AppData\Local\Temp\rt.exe, PE32 9->50 dropped 52 C:\Users\user\AppData\Local\Temp\extr.exe, PE32 9->52 dropped 54 C:\Users\user\AppData\Local\Temp54isSrv.exe, PE32+ 9->54 dropped 56 C:\Users\user\AppData\Local\...\MsMpEng.exe, PE32+ 9->56 dropped 17 rt.exe 1 13 9->17         started        21 extr.exe 14 3 9->21         started        84 Multi AV Scanner detection for dropped file 12->84 86 Machine Learning detection for dropped file 12->86 88 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 12->88 24 conhost.exe 15->24         started        signatures6 process7 dnsIp8 42 C:\Windows\...\backgroundTaskHost.exe, PE32 17->42 dropped 44 C:\Recovery\Registry.exe, PE32 17->44 dropped 46 C:\Program Files (x86)\...\RuntimeBroker.exe, PE32 17->46 dropped 48 C:\MSOCache\All Users\SearchUI.exe, PE32 17->48 dropped 64 Machine Learning detection for dropped file 17->64 66 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 17->66 68 Uses schtasks.exe or at.exe to add and modify task schedules 17->68 70 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->70 26 schtasks.exe 1 17->26         started        28 schtasks.exe 1 17->28         started        30 schtasks.exe 1 17->30         started        32 2 other processes 17->32 62 raw.githubusercontent.com 185.199.109.133, 443, 49751 FASTLYUS Netherlands 21->62 72 Antivirus detection for dropped file 21->72 74 Detected unpacking (overwrites its own PE header) 21->74 file9 signatures10 process11 process12 34 conhost.exe 26->34         started        36 conhost.exe 28->36         started        38 conhost.exe 30->38         started        40 conhost.exe 32->40         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bb55fcf1625411295d87059f3116db4109ef0783504fbce9c5eca05ef72d45e0/
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-07-09 04:31:25 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xnk7z4lckqissxmhawptcfw3iee66b4dkbh3z2of5sqf55znixqa._file
Verdict:
malicious
Similar samples:
043933cf2d619c6da0e932c3e7a302f210f3ae09d924379f8ae257c9c291e292
DCRat
2131b75617c740ddba1b808e0decc1e7054e34e6ce51c91bc4b848a52050e728
DCRat
37b3a1d0c99b42d11596890640c076a18929f5087f924d22e9b751b3afd4f94c
DCRat
40f9c1d0e2e988dbd82d8a37141cf4b03e8cff1f427424ea0966c44cac999b8f
DCRat
4b734afbb65c47d96c53ddc24250cacf96e62bbc56e0c64eca978d3255bbc745
DCRat
4cba3cb0188c4a064f6dd99ead74f76156d73019e15eec1a3653b28c8ac7a112
DCRat
748f35be261019103aae31d43b1fa88fda9cbc99043122e76b5c0a0d94cb808f
DCRat
9d88e62b7da45ea1be4c02dec30b6a31b53d42c31d1785f4a992e55c0147d825
DCRat
b7700c66e40ddd73a718794c1f295d1a56251aa0cdb89b215120a09bb5e61e9e
DCRat
+ 54 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat evasion infostealer rat spyware stealer trojan
Link:
https://tria.ge/reports/210712-z2jkq8t7fa/
Behaviour
Creates scheduled task(s)
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Executes dropped EXE
DCRat Payload
Contains code to disable Windows Defender
DcRat
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
265467c7d5058b35c3b65d99e83937bd3d26c251ec91e7d1a95944f8f3c4c109
MD5 hash:
0f304d0fd19e25d3d429de4f023d4e88
SHA1 hash:
c63bf4209822fe732a594fe5939a91ac70118447
Link:
https://www.unpac.me/results/71bc410f-1d32-419a-8845-995cfc7da950/
SH256 hash:
5f47cd15c4d9b0b45dc6d8f06d58890f05330b66aa0098e462945b946dbdaf50
MD5 hash:
30fd76d451bfcde402c3b3eb83421535
SHA1 hash:
ab8b60aacac284db1a6d45d893db1550f905f60a
Link:
https://www.unpac.me/results/71bc410f-1d32-419a-8845-995cfc7da950/
SH256 hash:
862b723bcc8fa9eb632adb37a3785872366dac35be0e630b8dce658bc1bc0bc4
MD5 hash:
936ff33cdaddfdb223078d5a6f829ff5
SHA1 hash:
a0c899491369595ad820f698566aeb336b45d4ac
Link:
https://www.unpac.me/results/71bc410f-1d32-419a-8845-995cfc7da950/
SH256 hash:
bb55fcf1625411295d87059f3116db4109ef0783504fbce9c5eca05ef72d45e0
MD5 hash:
deaa91e13bfb55bf8254aec4daa20a0b
SHA1 hash:
11c37efc381af0689178a7074035c90cabb25789
Link:
https://www.unpac.me/results/71bc410f-1d32-419a-8845-995cfc7da950/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bb55fcf1625411295d87059f3116db4109ef0783504fbce9c5eca05ef72d45e0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/171181/

Comments