MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c221fa12d79efaabd55c061a968de9380080d563dc4f13669ed08293b11002c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c221fa12d79efaabd55c061a968de9380080d563dc4f13669ed08293b11002c3
SHA3-384 hash: e40cc13877f2d44c31da14694123646e21f8f4c4e447eb2529d8832c2f69bb206871965afe64117d6f75980042057a79
SHA1 hash: 62b542575c65ca369843c7db9aaa8b75dc25de77
MD5 hash: ffdcdb47645021c515ba1d76427268d7
humanhash: beer-hotel-spaghetti-enemy
File name:to establish.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:878'091 bytes
First seen:2021-03-04 20:46:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:jAOcZymsTDSSjbwsJGZ6tU6cgKYGgwe7G3E:lnvwIGZ6tU6qYGgw3U
Threatray 470 similar samples on MalwareBazaar
TLSH 72151201BAC288B2D833193A5939AB166E7D79301F21DA2FF7D019BDDE305C17625B63
Reporter Finch39487976
Tags:DCRat

Intelligence

File Origin
# of uploads :
1
# of downloads :
158
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
to establish.exe
Verdict:
Malicious activity
Analysis date:
2021-03-04 20:50:12 UTC
Tags:
rat backdoor dcrat trojan stealer evasion
Link:
https://app.any.run/tasks/407ea9de-4d5e-4f98-92a1-9430f13bb130

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/122364/
Detection(s):
Win.Trojan.Uztuby-9774367-0
Create hunting rule

Win.Malware.Uztuby-9838540-0
Create hunting rule

SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file in the Windows subdirectories
Launching a process
Creating a file
Sending an HTTP GET request
Deleting a recently created file
Reading critical registry keys
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Stealing user critical data
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/629204
Signature
.NET source code contains in memory code execution
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Drops PE files with benign system names
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 363575 Sample: to establish.exe Startdate: 04/03/2021 Architecture: WINDOWS Score: 100 78 Found malware configuration 2->78 80 Antivirus detection for dropped file 2->80 82 Yara detected DCRat 2->82 84 7 other signatures 2->84 13 to establish.exe 3 11 2->13         started        16 explorer.exe 14 3 2->16         started        process3 dnsIp4 64 C:\Users\user\...\uZUJWHcGxdciNKI8jDXq.exe, PE32 13->64 dropped 20 wscript.exe 1 13->20         started        66 62.109.23.191, 49733, 80 THEFIRST-ASRU Russian Federation 16->66 68 192.168.2.1 unknown unknown 16->68 70 Antivirus detection for dropped file 16->70 72 System process connects to network (likely due to code injection or exploit) 16->72 74 Machine Learning detection for dropped file 16->74 76 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->76 file5 signatures6 process7 process8 22 cmd.exe 1 20->22         started        process9 24 uZUJWHcGxdciNKI8jDXq.exe 11 22->24         started        27 conhost.exe 22->27         started        file10 62 C:\Users\user\AppData\...\runtimesession.exe, PE32 24->62 dropped 29 wscript.exe 1 24->29         started        process11 process12 31 cmd.exe 1 29->31         started        process13 33 runtimesession.exe 1 9 31->33         started        37 conhost.exe 31->37         started        file14 54 C:\Users\Default\...\MusNotifyIcon.exe, PE32 33->54 dropped 56 C:\Recovery\ApplicationFrameHost.exe, PE32 33->56 dropped 58 C:\PerfLogs\explorer.exe, PE32 33->58 dropped 60 C:\Users\user\...\runtimesession.exe.log, ASCII 33->60 dropped 86 Antivirus detection for dropped file 33->86 88 Machine Learning detection for dropped file 33->88 90 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 33->90 92 2 other signatures 33->92 39 ApplicationFrameHost.exe 33->39         started        42 schtasks.exe 1 33->42         started        44 schtasks.exe 1 33->44         started        46 schtasks.exe 33->46         started        signatures15 process16 signatures17 94 Antivirus detection for dropped file 39->94 96 Machine Learning detection for dropped file 39->96 98 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 39->98 48 conhost.exe 42->48         started        50 conhost.exe 44->50         started        52 conhost.exe 46->52         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c221fa12d79efaabd55c061a968de9380080d563dc4f13669ed08293b11002c3/
Threat name:
Win32.Trojan.Uztuby
Create hunting rule
Status:
Malicious
First seen:
2021-03-04 20:47:06 UTC
AV detection:
18 of 47 (38.30%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0c8c15c9e75a91e83851517f11be665131e7115c3f3932ee70b99833474b4c8d
DCRat
192345b11e53e8d691a67584df68072eb1e8b8d41f4a4b5af7fae19d36ba36c4
DCRat
44c671f6aaca45b2db6397a3037a471aa2889538ebc73138bfeb34e50e1df1f6
DCRat
4a4c53136db2fb3322b68159761172d730c30d2f0a486dceeeb0056b4ab8e071
DCRat
61a70fdae6040d08c4f66f5d5ba95aba1987cda5e4715903696c3139a33d8e05
DCRat
6a25a9e6507be33ffb55afd80d51a2f00b761417f17ad6fe5399e36e78226c61
DCRat
6dfa00754b15999efaf8c4c636ceac96839096eca669391d2577872a2b1bc369
DCRat
70da4cb906561579f992801bfce2c3f1daf01833b292a9bd04545b7e0ee49fbd
DCRat
a51c62d5cbbdd3442ea44f0282533b9671f5fea07590caa69e13d67aa66db735
DCRat
c0258a01a5881d1f5de632d7617a0e225173696db23fb99f72ea1c84e6be396c
DCRat
+ 460 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware
Link:
https://tria.ge/reports/210304-e4braj3th2/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
124e395202cf2941a4300fd062b543b68e570159879c283552f2175df3c2a601
MD5 hash:
b0dea02eeb25faf9605d78d7038036ed
SHA1 hash:
52589ed3dbc95df7d8a9cf674112bff9daefe6fa
Link:
https://www.unpac.me/results/d70f9b06-c6c3-424c-be75-845b1673662a/
SH256 hash:
c221fa12d79efaabd55c061a968de9380080d563dc4f13669ed08293b11002c3
MD5 hash:
ffdcdb47645021c515ba1d76427268d7
SHA1 hash:
62b542575c65ca369843c7db9aaa8b75dc25de77
Link:
https://www.unpac.me/results/d70f9b06-c6c3-424c-be75-845b1673662a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c221fa12d79efaabd55c061a968de9380080d563dc4f13669ed08293b11002c3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe c221fa12d79efaabd55c061a968de9380080d563dc4f13669ed08293b11002c3

(this sample)

  
X
https://twitter.com/Finch39487976/status/1367576952287158278
Malpedia
Malpedia
https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/122364/

Comments