MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0bea0a11853ecbdd169b0d0ac30f0afcba308555752a0ead4de45895ec69ed2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c0bea0a11853ecbdd169b0d0ac30f0afcba308555752a0ead4de45895ec69ed2
SHA3-384 hash: 0bdbe2e0378e7b36c42187cb386b2ff9d6e8f0798a4bd284484853775b2e3bde8590cff1cdca603897a1761d8780d9ca
SHA1 hash: 7be531a0a8ca1e686e6f7ff70fc3c2de963684fe
MD5 hash: f20c74f02de55472d8b565868a19f4f5
humanhash: ink-bulldog-lion-batman
File name:c0bea0a11853ecbdd169b0d0ac30f0afcba308555752a.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'274'486 bytes
First seen:2023-07-03 20:45:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:U2G/nvxW3Ww0t1Qo4QruJTrTn5mC8IasJ8lkf6LgH:UbA301n47rzrJfkY
TLSH T1AA456A027E44CA11F0195233C2FF492447B4AC512AA6E72FBEBA37AD55123937D1DACB
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://web3174.craft-host.ru/_Defaultwindows.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
295
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
c0bea0a11853ecbdd169b0d0ac30f0afcba308555752a.exe
Verdict:
Malicious activity
Analysis date:
2023-07-03 20:46:34 UTC
Tags:
dcrat rat backdoor
Link:
https://app.any.run/tasks/36993598-c79a-4e64-8526-f22a9f85c44f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/406202/
Detection(s):
SecuriteInfo.com.VBS.Encrypted.Gen.UNOFFICIAL
Create hunting rule

Win.Trojan.Uztuby-9855059-0
Create hunting rule

Win.Ransomware.Clinix-9868408-0
Create hunting rule

Win.Packed.Msilmamut-9950860-0
Create hunting rule

Win.Packed.Basic-9952747-0
Create hunting rule

Win.Packed.Uztuby-9963900-0
Create hunting rule

Win.Packed.Uztuby-9969968-0
Create hunting rule

Win.Malware.Uztuby-9972880-0
Create hunting rule

Win.Trojan.DarkKomet-9976180-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the Windows directory
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Creating a file
Using the Windows Management Instrumentation requests
Launching a process
Creating a file in the Windows subdirectories
Creating a file in the Program Files subdirectories
Creating a file in the %temp% directory
Sending a UDP request
DNS request
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/95432/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm cmd cscript dcrat explorer greyware hacktool lolbin overlay packed replace schtasks setupapi shdocvw shell32 wscript
Link:
https://www.filescan.io/uploads/64a3338a1989c03c1e4b1d96/reports/2c860468-fda4-4990-9462-dfc93b9e8834/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/c0bea0a11853ecbdd169b0d0ac30f0afcba308555752a0ead4de45895ec69ed2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/573934ac-833a-4ba4-9ff5-a67e16cefd73
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1266227
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1266227 Sample: c0bea0a11853ecbdd169b0d0ac3... Startdate: 03/07/2023 Architecture: WINDOWS Score: 100 41 Multi AV Scanner detection for domain / URL 2->41 43 Found malware configuration 2->43 45 Antivirus detection for URL or domain 2->45 47 10 other signatures 2->47 8 c0bea0a11853ecbdd169b0d0ac30f0afcba308555752a.exe 3 6 2->8         started        11 RujNtFbzIuFbkiTZzAVgDwz.exe 3 2->11         started        14 wininit.exe 2 2->14         started        16 33 other processes 2->16 process3 file4 37 C:\Windows\perfCrt.exe, PE32 8->37 dropped 39 C:\...\8NQktCoAZviY5dhjarDv0yXqzR5kC.vbe, data 8->39 dropped 18 wscript.exe 1 8->18         started        59 Multi AV Scanner detection for dropped file 11->59 signatures5 process6 process7 20 cmd.exe 1 18->20         started        signatures8 49 Drops executables to the windows directory (C:\Windows) and starts them 20->49 23 perfCrt.exe 3 30 20->23         started        27 conhost.exe 20->27         started        process9 file10 29 C:\Windows\PolicyDefinitions\...\Registry.exe, PE32 23->29 dropped 31 C:\Users\...\RujNtFbzIuFbkiTZzAVgDwz.exe, PE32 23->31 dropped 33 C:\Users\Public\Desktop\System.exe, PE32 23->33 dropped 35 9 other malicious files 23->35 dropped 51 Antivirus detection for dropped file 23->51 53 Multi AV Scanner detection for dropped file 23->53 55 Machine Learning detection for dropped file 23->55 57 3 other signatures 23->57 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c0bea0a11853ecbdd169b0d0ac30f0afcba308555752a0ead4de45895ec69ed2/
Threat name:
ByteCode-MSIL.Backdoor.DCRat
Create hunting rule
Status:
Malicious
First seen:
2023-06-19 14:23:44 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
28 of 37 (75.68%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yc7kbiiykpwl3uljwdikymhqv7f2gccvk5jkb2wu3zcysxwgt3ja._file
Verdict:
malicious
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer rat
Link:
https://tria.ge/reports/230703-zj9tyaab24/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Checks computer location settings
Executes dropped EXE
DCRat payload
DcRat
Process spawned unexpected child process
Unpacked files
SH256 hash:
c1452a47310558c9a70b6fd3b9d68156aad8c1b07fd53455bff0ccd83b95ba8e
MD5 hash:
f553aaacd5d5d904ae5103a9f9d1d8e2
SHA1 hash:
29d46f0d7be8aaf8c9348d706395c5e5ad7095dd
Link:
https://www.unpac.me/results/6cf3bc90-3096-4fc3-bbe8-e811090633c0/
SH256 hash:
c1452a47310558c9a70b6fd3b9d68156aad8c1b07fd53455bff0ccd83b95ba8e
MD5 hash:
f553aaacd5d5d904ae5103a9f9d1d8e2
SHA1 hash:
29d46f0d7be8aaf8c9348d706395c5e5ad7095dd
Link:
https://www.unpac.me/results/6cf3bc90-3096-4fc3-bbe8-e811090633c0/
SH256 hash:
150bc49f9755f25221bfc445c7a067615cdb8de797c6c6ba873e3f56e0036799
MD5 hash:
62e2e1875fed8255a355ad33978871f8
SHA1 hash:
cbd378e64a125ba6b0306d126eec6bd4cecda46c
Link:
https://www.unpac.me/results/6cf3bc90-3096-4fc3-bbe8-e811090633c0/
SH256 hash:
150bc49f9755f25221bfc445c7a067615cdb8de797c6c6ba873e3f56e0036799
MD5 hash:
62e2e1875fed8255a355ad33978871f8
SHA1 hash:
cbd378e64a125ba6b0306d126eec6bd4cecda46c
Link:
https://www.unpac.me/results/6cf3bc90-3096-4fc3-bbe8-e811090633c0/
SH256 hash:
c0bea0a11853ecbdd169b0d0ac30f0afcba308555752a0ead4de45895ec69ed2
MD5 hash:
f20c74f02de55472d8b565868a19f4f5
SHA1 hash:
7be531a0a8ca1e686e6f7ff70fc3c2de963684fe
Detections:
win_xorist_auto
Create hunting rule
Link:
https://www.unpac.me/results/6cf3bc90-3096-4fc3-bbe8-e811090633c0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c0bea0a11853/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:win_xorist_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.xorist.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/406202/

Comments