MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bdda6364d1ee783defaa82554c73dd628d1e616ed69da563afbae1c2cea2d6b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bdda6364d1ee783defaa82554c73dd628d1e616ed69da563afbae1c2cea2d6b7
SHA3-384 hash: fed22963ad705f5ac59de9bde8a5029fa7a8674f42645f255a72145f3aa8e51556129ab58c678c5b8e7026f360f26e84
SHA1 hash: fb8cb6ba22f7fdd65eae3ac397a38b13e80ea6cb
MD5 hash: 95d28a26ea388b7c29f6760bad5835bd
humanhash: bravo-batman-bakerloo-eight
File name:95d28a26ea388b7c29f6760bad5835bd.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'370'338 bytes
First seen:2022-03-21 16:03:18 UTC
Last seen:2022-03-25 07:03:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:U2G/nvxW3Ww0tkk3E9hxllahmh9SP5U83mNlUgpGYf4PRi45/:UbA30O9SP593CltEI+
Threatray 2'594 similar samples on MalwareBazaar
TLSH T10F558C027E44CA12D0668A33D9EF901847ACBD432A2BDB1F7A9A379D16113E75D0E5CF
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://37.46.133.171/Wordpress/WordpressSecure/external6protect/pollFlower.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://37.46.133.171/Wordpress/WordpressSecure/external6protect/pollFlower.php https://threatfox.abuse.ch/ioc/434290/

Intelligence

File Origin
# of uploads :
2
# of downloads :
195
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/253683/
Detection(s):
Win.Trojan.Uztuby-9855059-0
Create hunting rule

Win.Ransomware.Clinix-9868408-0
Create hunting rule

Win.Packed.Uztuby-9937390-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Sending a custom TCP request
DNS request
Using the Windows Management Instrumentation requests
Launching a process
Creating a file in the %temp% directory
Sending a UDP request
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Enabling autorun
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/10144/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware overlay packed packed replace.exe setupapi.dll shdocvw.dll shell32.dll update.exe
Link:
https://www.filescan.io/uploads/6238a1ffdfdfa8501cc79a86/reports/e38226fb-c085-4273-b324-90a4d6cac56f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e510a1c1-0561-4107-8f75-69d6e2a33d1d
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/960946
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: New RUN Key Pointing to Suspicious Folder
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 593429 Sample: y91XYIPUJL.exe Startdate: 21/03/2022 Architecture: WINDOWS Score: 100 42 Found malware configuration 2->42 44 Antivirus detection for dropped file 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 6 other signatures 2->48 8 y91XYIPUJL.exe 3 6 2->8         started        12 fbMepJLbtxhGCtqpVxOHq.exe 2 2->12         started        14 fbMepJLbtxhGCtqpVxOHq.exe 2 2->14         started        16 21 other processes 2->16 process3 dnsIp4 40 192.168.2.1 unknown unknown 8->40 36 C:\...\FontruntimeBrokercommonrefhostperf.exe, PE32 8->36 dropped 38 C:\...\ejDq4IMizipIF9i6x.vbe, data 8->38 dropped 18 wscript.exe 1 8->18         started        file5 process6 process7 20 cmd.exe 1 18->20         started        process8 22 FontruntimeBrokercommonrefhostperf.exe 3 14 20->22         started        26 conhost.exe 20->26         started        file9 28 C:\Users\Default\Pictures\UsoClient.exe, PE32 22->28 dropped 30 C:\ProgramData\...\fbMepJLbtxhGCtqpVxOHq.exe, PE32 22->30 dropped 32 C:\ProgramData\...\SgrmBroker.exe, PE32 22->32 dropped 34 3 other files (none is malicious) 22->34 dropped 50 Multi AV Scanner detection for dropped file 22->50 52 Creates an undocumented autostart registry key 22->52 54 Machine Learning detection for dropped file 22->54 56 3 other signatures 22->56 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bdda6364d1ee783defaa82554c73dd628d1e616ed69da563afbae1c2cea2d6b7/
Threat name:
ByteCode-MSIL.Trojan.ZmutzyLscpt
Create hunting rule
Status:
Malicious
First seen:
2022-03-19 15:39:26 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
23 of 42 (54.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xxnggzgr5z4d335kqjkuy465mkgr4ylo22o2ky5pxlq4ftvc223q._file
Verdict:
malicious
Similar samples:
1934ca02e1627b6127c65310ffe6be91e216d53bfa4b90d0fe5ec4912c17e4cd
DCRat
8f7bab9df8b75b06db3d3386c8fea2e31c3c829793e6176f54daeaff7e9654fc
DCRat
99607533ec0caa3bbd538f0fab6efd8054f72717119fc8264aa75fe8522f3129
DCRat
c471593f9061543dec0992defe7f0066a008419985bf8d3992611bf5296f1818
DCRat
dab47d33a292ab6b5b8aa525857160906629f9fd1b8dc1e3a37f62247d7ce8e0
DCRat
e22bc0f5a53d0bb00be209379ab79cbbc31d16d02338098cf172430218d996da
DCRat
ec7530be3b51c76f865fb17df9fda1d5577df22854e33b2945da30a9367762cc
DCRat
+ 2'584 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer persistence rat spyware stealer
Link:
https://tria.ge/reports/220321-thygmadag2/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
DcRat
Modifies WinLogon for persistence
Process spawned unexpected child process
Unpacked files
SH256 hash:
92e520c976268b1cfa9b3fa44bf1c11834bcd00b91b9a399ef637189c8c819e8
MD5 hash:
20df5b3e0f6a0602789e8aedc00f62da
SHA1 hash:
4231c7a5d12ed74bb67b67db090293e6c0c16864
Link:
https://www.unpac.me/results/c25d6ef4-bb77-4d98-8660-5610b49d5f4c/
SH256 hash:
267e379980d5c42a0f1d46597044f2c1c8c3f858b1d6770e1f9617749373745e
MD5 hash:
ef20fe284232ab48330be2af22226f9e
SHA1 hash:
f627a408307e4f2e2784e8ed56a7480cb0c0c016
Link:
https://www.unpac.me/results/c25d6ef4-bb77-4d98-8660-5610b49d5f4c/
SH256 hash:
bdda6364d1ee783defaa82554c73dd628d1e616ed69da563afbae1c2cea2d6b7
MD5 hash:
95d28a26ea388b7c29f6760bad5835bd
SHA1 hash:
fb8cb6ba22f7fdd65eae3ac397a38b13e80ea6cb
Link:
https://www.unpac.me/results/c25d6ef4-bb77-4d98-8660-5610b49d5f4c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bdda6364d1ee783defaa82554c73dd628d1e616ed69da563afbae1c2cea2d6b7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe bdda6364d1ee783defaa82554c73dd628d1e616ed69da563afbae1c2cea2d6b7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2109532/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/253683/

Comments