MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c2365436a67ec76dc90b2f6d4fdf55ff9066d166754c5bc9ff7d5a6901f81aa4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 7


Intelligence 7 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c2365436a67ec76dc90b2f6d4fdf55ff9066d166754c5bc9ff7d5a6901f81aa4
SHA3-384 hash: 5b3a6820fcbfa418683517b3503799b6a7090dda1774fea1c9734baa7699031f7217d7682e962eeb05ede3a527bba6e8
SHA1 hash: 18c9839ce9656bbf617a2687b880794371567398
MD5 hash: 05ab720bbe85744cf1cbdab2aa91bcff
humanhash: two-robert-vegan-winner
File name:05AB720BBE85744CF1CBDAB2AA91BCFF.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:987'029 bytes
First seen:2021-07-16 20:06:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (865 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:u2G/nvxW3WieClgD31OWO4BNkGfrh2ph+mBW:ubA3jOD8F43VXmBW
Threatray 437 similar samples on MalwareBazaar
TLSH T16F250202BAC255B2D6711932057EA711693DBC301F248FEFA3E46A5E99341C0EB357BB
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://34.88.37.156/Vmgamedefaulttest.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://34.88.37.156/Vmgamedefaulttest.php https://threatfox.abuse.ch/ioc/160833/

Intelligence

File Origin
# of uploads :
1
# of downloads :
167
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
05AB720BBE85744CF1CBDAB2AA91BCFF.exe
Verdict:
No threats detected
Analysis date:
2021-07-16 20:09:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/687f6141-2dd2-4209-8750-a0b82b535c8b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172264/
Detection(s):
Win.Trojan.Uztuby-9855059-0
Create hunting rule

Win.Ransomware.Clinix-9868408-0
Create hunting rule

Win.Malware.Qshell-9875653-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/86a4a983-4ad7-4105-aa97-45b6717a134a
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/817695
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected VMProtect packer
Drops PE files with benign system names
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Schedule system process
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 450106 Sample: mze65owJ9X.exe Startdate: 16/07/2021 Architecture: WINDOWS Score: 100 63 Found malware configuration 2->63 65 Multi AV Scanner detection for dropped file 2->65 67 Multi AV Scanner detection for submitted file 2->67 69 6 other signatures 2->69 10 mze65owJ9X.exe 3 6 2->10         started        13 JWZGPTrHBvYqBrkbuY.exe 3 2->13         started        16 wininit.exe 3 2->16         started        process3 file4 59 intoSessionbrokerm...ordhcpWinRefnet.exe, PE32 10->59 dropped 18 wscript.exe 1 10->18         started        79 Multi AV Scanner detection for dropped file 13->79 81 Machine Learning detection for dropped file 13->81 83 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 13->83 signatures5 process6 process7 20 cmd.exe 1 18->20         started        process8 22 intoSessionbrokermonitordhcpWinRefnet.exe 1 25 20->22         started        27 conhost.exe 20->27         started        dnsIp9 61 192.168.2.1 unknown unknown 22->61 51 C:\intoSessionbrokermonitordhcp\wininit.exe, PE32 22->51 dropped 53 C:\Windows\...\backgroundTaskHost.exe, PE32 22->53 dropped 55 C:\Windows\System32\WwaApi\conhost.exe, PE32 22->55 dropped 57 5 other malicious files 22->57 dropped 71 Multi AV Scanner detection for dropped file 22->71 73 Machine Learning detection for dropped file 22->73 75 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 22->75 77 4 other signatures 22->77 29 schtasks.exe 1 22->29         started        31 schtasks.exe 1 22->31         started        33 schtasks.exe 1 22->33         started        35 6 other processes 22->35 file10 signatures11 process12 process13 37 conhost.exe 29->37         started        39 conhost.exe 31->39         started        41 conhost.exe 33->41         started        43 conhost.exe 35->43         started        45 conhost.exe 35->45         started        47 conhost.exe 35->47         started        49 2 other processes 35->49
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c2365436a67ec76dc90b2f6d4fdf55ff9066d166754c5bc9ff7d5a6901f81aa4/
Threat name:
ByteCode-MSIL.Trojan.Rasftuby
Create hunting rule
Status:
Malicious
First seen:
2021-07-14 00:14:22 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yi3finvgp3dw3silf5wu7x2v76ignulgovgfxsp7pvngsapydksa._file
Verdict:
malicious
Similar samples:
09de50c42d342a45215b027b4b041d96fafa5348aeb71c15db3d46725c3aeaa2
DCRat
3b28cef3fbfcc3a04ec60110dc57b789425a4bab6b7be57e20b7bbd08783e043
DCRat
6d0083394a549c135820010343353dcfa2929aeaa83f72a50ec60a7263f4ec90
DCRat
6d915396aa09593693247c54c4a91feea691dc6e5f4ff234791a6193d2b5ac1b
DCRat
8060ecf4c1dc957aefdbfc835361541af83a9e5d6433f5abb073477c59f16e4c
DCRat
88771c803925c9b53a6eeedbf38e34bbb20cc6ab5861ca8789b1efbdda0cbbb2
DCRat
bc7cbed34a28008fed6c5c7d7fea8658d4abeb1eff5b06e06a917680d5091fcf
DCRat
c310aca2959669fdb69fdec4c1336353d84b7ae9b8767a1086be3591b4af32f0
DCRat
e1168abd0c24c43423463607b92547d5a2365d7fcbd8e6264f7a1b2f91328d6c
DCRat
+ 427 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer vmprotect
Link:
https://tria.ge/reports/210716-cqd28dc2v2/
Behaviour
Creates scheduled task(s)
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in System32 directory
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
VMProtect packed file
Unpacked files
SH256 hash:
62ded6db1d6986e9e3db3914809c2e84282c44f47a724a1b5308bb64a056bf12
MD5 hash:
d38c5fb11e33682ff4ac6c3b42727aba
SHA1 hash:
9b7102baff3df8a24a70fd1c9e45621011cbd7e6
Link:
https://www.unpac.me/results/bf137da4-71a5-4c98-a1f5-af4128a16a38/
SH256 hash:
c2365436a67ec76dc90b2f6d4fdf55ff9066d166754c5bc9ff7d5a6901f81aa4
MD5 hash:
05ab720bbe85744cf1cbdab2aa91bcff
SHA1 hash:
18c9839ce9656bbf617a2687b880794371567398
Link:
https://www.unpac.me/results/bf137da4-71a5-4c98-a1f5-af4128a16a38/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c2365436a67ec76dc90b2f6d4fdf55ff9066d166754c5bc9ff7d5a6901f81aa4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172264/

Comments