MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c263b9a957766bbb5b1fa0487ba5e9209e10fe95eee0397a7ccafad2f7d50a4e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c263b9a957766bbb5b1fa0487ba5e9209e10fe95eee0397a7ccafad2f7d50a4e
SHA3-384 hash: 85b41f2374cd3ce1f942157400c4ee562ed9b57b55e9790a29d1a2fd7b7883e7dae7a0d129ba08c0081a20eb7504031f
SHA1 hash: af48d84fa3e0e78dcb709cbb6eae14009a11175d
MD5 hash: e2652c8c7959bcebe06c110804dbd1ae
humanhash: equal-robin-oscar-wisconsin
File name:c263b9a957766bbb5b1fa0487ba5e9209e10fe95eee0397a7ccafad2f7d50a4e
Download: download sample
Signature DCRat
Create hunting rule
File size:1'717'141 bytes
First seen:2021-03-01 18:29:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:HAOcZOXaL1Z0a7Q0h1opiwkLyoJ3IZLoBw181AVa4Aonjbd4e1Aqw9FWTQMO:5E7Q0h1dwkxtIZLowa4A4bdAFWUL
Threatray 416 similar samples on MalwareBazaar
TLSH C9852302B6D58872D13329351965E729A97C78210E24AF2FB7E109ADFF306916335FB3
Reporter c3rb3ru5d3d53c2
Tags:DCRat


Avatar
c3rb3ru5d3d53c
@c3rb3ru5d3d53c Live Hunt

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/120366/
Detection(s):
Win.Dropper.Nanocore-9774881-0
Create hunting rule

SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Sending a UDP request
Launching a process
Creating a file in the Program Files subdirectories
Sending an HTTP GET request
DNS request
Sending a custom TCP request
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Enabling the 'hidden' option for recently created files
Unauthorized injection to a recently created process
Setting a global event handler for the keyboard
Stealing user critical data
Creating a file in the mass storage device
Enabling autorun by creating a file
Changing the hosts file
Enabling threat expansion on mass storage devices by creating the autorun.inf autorun file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/622701
Signature
.NET source code contains in memory code execution
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
May check the online IP address of the machine
Modifies the hosts file
Multi AV Scanner detection for submitted file
Mutes Antivirus updates and installments via hosts file black listing
Protects its processes via BreakOnTermination flag
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive USB information (via WMI, WIN32_USBHUB, often done to detect sandboxes)
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 360341 Sample: tC0FTkcv0Q Startdate: 01/03/2021 Architecture: WINDOWS Score: 100 94 Found malware configuration 2->94 96 Antivirus detection for dropped file 2->96 98 Multi AV Scanner detection for submitted file 2->98 100 12 other signatures 2->100 13 tC0FTkcv0Q.exe 3 6 2->13         started        16 Registry.exe 18 15 2->16         started        20 TbQkcPFuzqlGMrlXnvWuTixVGmMtVi.exe 2->20         started        process3 dnsIp4 72 C:\crtfont\DQXfKQIzZd5elQt8Q5Xp.exe, PE32 13->72 dropped 22 wscript.exe 1 13->22         started        76 ipinfo.io 16->76 78 52.15.229.249, 49748, 49763, 49764 AMAZON-02US United States 16->78 80 3 other IPs or domains 16->80 74 C:\Windows\System32\drivers\etc\hosts, ASCII 16->74 dropped 82 Antivirus detection for dropped file 16->82 84 Protects its processes via BreakOnTermination flag 16->84 86 Mutes Antivirus updates and installments via hosts file black listing 16->86 92 4 other signatures 16->92 88 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 20->88 file5 90 Uses the Telegram API (likely for C&C communication) 76->90 signatures6 process7 process8 24 cmd.exe 1 22->24         started        process9 26 DQXfKQIzZd5elQt8Q5Xp.exe 6 24->26         started        29 conhost.exe 24->29         started        file10 70 C:\crtfont\monitorref.exe, PE32 26->70 dropped 31 wscript.exe 1 26->31         started        process11 process12 33 cmd.exe 1 31->33         started        process13 35 monitorref.exe 1 15 33->35         started        39 conhost.exe 33->39         started        file14 62 C:\...\TbQkcPFuzqlGMrlXnvWuTixVGmMtVi.exe, PE32 35->62 dropped 64 C:\Recovery\Registry.exe, PE32 35->64 dropped 66 C:\...\TbQkcPFuzqlGMrlXnvWuTixVGmMtVi.exe, PE32 35->66 dropped 68 4 other malicious files 35->68 dropped 102 Antivirus detection for dropped file 35->102 104 Machine Learning detection for dropped file 35->104 106 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 35->106 108 Hides that the sample has been downloaded from the Internet (zone.identifier) 35->108 41 TbQkcPFuzqlGMrlXnvWuTixVGmMtVi.exe 35->41         started        44 schtasks.exe 1 35->44         started        46 schtasks.exe 1 35->46         started        48 4 other processes 35->48 signatures15 process16 signatures17 110 Antivirus detection for dropped file 41->110 112 Machine Learning detection for dropped file 41->112 114 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 41->114 50 conhost.exe 44->50         started        52 conhost.exe 46->52         started        54 conhost.exe 48->54         started        56 conhost.exe 48->56         started        58 conhost.exe 48->58         started        60 conhost.exe 48->60         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c263b9a957766bbb5b1fa0487ba5e9209e10fe95eee0397a7ccafad2f7d50a4e/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-03-01 18:30:13 UTC
File Type:
PE (Exe)
Extracted files:
34
AV detection:
20 of 46 (43.48%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
192345b11e53e8d691a67584df68072eb1e8b8d41f4a4b5af7fae19d36ba36c4
DCRat
3b87d209178da51dc473f3c63ba4bf1dd5435ca8b35f6c562d5d7614d3414eba
DCRat
4ce7656c38f73b3580594e7850ccc1723340ba789b233c248861b0e08e52d8d4
DCRat
60c8d36d9acc5b958d863d2315fc84aebf0cb2cea7caca3f0055fc2aecd18cdc
DCRat
6a25a9e6507be33ffb55afd80d51a2f00b761417f17ad6fe5399e36e78226c61
DCRat
70da4cb906561579f992801bfce2c3f1daf01833b292a9bd04545b7e0ee49fbd
DCRat
71f88e8c4b70c78ba9ab63ce24044701518380aed406b02e718ed90de7c67edf
DCRat
d2e32cba0f48d078bfbb00b65652d69b053136c31c85135217dce00aeed80a3c
DCRat
dbb052cb64caf28728eecf651c6c50340d246842e875960f990ff40016da979c
DCRat
edd956a7bc18bf82d3716d1b7a9a485c7ed665edd53cd9459580e005e2735c17
DCRat
+ 406 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware
Link:
https://tria.ge/reports/210301-ajcvtmr3c2/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Drops file in Drivers directory
Executes dropped EXE
Unpacked files
SH256 hash:
c263b9a957766bbb5b1fa0487ba5e9209e10fe95eee0397a7ccafad2f7d50a4e
MD5 hash:
e2652c8c7959bcebe06c110804dbd1ae
SHA1 hash:
af48d84fa3e0e78dcb709cbb6eae14009a11175d
Link:
https://www.unpac.me/results/52147a6a-5818-4551-a517-6946f5a9d83a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c263b9a957766bbb5b1fa0487ba5e9209e10fe95eee0397a7ccafad2f7d50a4e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:enterpriseunix
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise UNIX

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://www.virustotal.com/gui/file/c263b9a957766bbb5b1fa0487ba5e9209e10fe95eee0397a7ccafad2f7d50a4e/details
  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/120366/

Comments