MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c39d68efeada072170dc0be43e29b61f92cd62f70e3cc4ef31fd44d1aa44d5c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c39d68efeada072170dc0be43e29b61f92cd62f70e3cc4ef31fd44d1aa44d5c0
SHA3-384 hash: 7a0d46288c32b57dd87f855967b55666aced40826759148d7c02ef77efc4d7f12348a3b8322e8473d574ce264a323b49
SHA1 hash: 61df746feef76263877af36d1fe7c518090ff32b
MD5 hash: a49a0cd6b6d0743d2517fd5abad4e0f6
humanhash: south-yellow-stairway-ohio
File name:a49a0cd6b6d0743d2517fd5abad4e0f6.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:4'478'072 bytes
First seen:2021-09-16 06:45:36 UTC
Last seen:2021-09-16 07:40:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 49152:Pfm9EeVsLM2OOr5TqXFZAuJbEdSqXTqXVZAuJbEdZ/FluraLxTsEStIxvoLZ:Pfm9CrJQ3ISiG3IZbur8kt
Threatray 163 similar samples on MalwareBazaar
TLSH T1DF26CF0D07C9D50AD2BE02788C7083AA4F705CF3C125BEE716977D2E28B5D87B7156AA
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://83.136.233.171/datadata/log/RequestsqlWindowsfloweruniversal.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://83.136.233.171/datadata/log/RequestsqlWindowsfloweruniversal.php https://threatfox.abuse.ch/ioc/222487/

Intelligence

File Origin
# of uploads :
2
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a49a0cd6b6d0743d2517fd5abad4e0f6.exe
Verdict:
Malicious activity
Analysis date:
2021-09-16 06:46:49 UTC
Tags:
trojan rat backdoor dcrat stealer
Link:
https://app.any.run/tasks/fe177c07-22db-4a8b-8dfc-893aa877da5e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Dcrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/188318/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46967710.29467.758.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61751f4ddb358dd15ed92662/reports/7f816c2b-be9a-4940-b0c0-04edeafc69b1/overview
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ecb62a1e-1043-4479-bd0c-d1464fd29dfb
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/851863
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: System File Execution Location Anomaly
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 484294 Sample: 2zOw3izpwE.exe Startdate: 16/09/2021 Architecture: WINDOWS Score: 96 48 Multi AV Scanner detection for dropped file 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 Yara detected DCRat 2->52 54 3 other signatures 2->54 8 2zOw3izpwE.exe 2 2->8         started        11 sihost.exe 2 2->11         started        13 backgroundTaskHost.exe 2 2->13         started        15 4 other processes 2->15 process3 signatures4 56 Creates processes via WMI 8->56 58 Injects a PE file into a foreign processes 8->58 17 2zOw3izpwE.exe 6 22 8->17         started        20 WerFault.exe 9 8->20         started        60 Multi AV Scanner detection for dropped file 11->60 22 backgroundTaskHost.exe 13->22         started        24 sihost.exe 15->24         started        process5 file6 34 C:\Windows\SysWOW64\wbem\...\WmiPrvSE.exe, PE32 17->34 dropped 36 C:\Windows\SysWOW64\...\RuntimeBroker.exe, PE32 17->36 dropped 38 C:\Recovery\sihost.exe, PE32 17->38 dropped 42 7 other malicious files 17->42 dropped 26 WmiPrvSE.exe 2 17->26         started        40 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->40 dropped process7 signatures8 62 Multi AV Scanner detection for dropped file 26->62 64 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 26->64 66 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 26->66 68 2 other signatures 26->68 29 WmiPrvSE.exe 26->29         started        32 WerFault.exe 26->32         started        process9 dnsIp10 44 83.136.233.171, 49746, 49796, 49798 MTR-SVIAZ-ASRU Russian Federation 29->44 46 192.168.2.1 unknown unknown 32->46
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c39d68efeada072170dc0be43e29b61f92cd62f70e3cc4ef31fd44d1aa44d5c0/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-14 01:01:24 UTC
AV detection:
6 of 38 (15.79%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yoowr37k3idsc4g4bpsd4knwd6jm2yxxby6mj3zr7vcndkse2xaa._file
Verdict:
malicious
Similar samples:
0757a3b97f39c1d8a6c3d94770762a3912304cfaffa0330761945acd7f236213
DCRat
0b976213f5961eb9720219d2624463ec6acc8947004710c7e9885746e2e27234
DCRat
0e439b622658ab71228c7388ec456c7baf041046d7eff1a37bc9c02177c324ed
DCRat
19f71da28ebab8fe7256a657c603698ad607a7273e85d0e8b107269643cfa5dd
DCRat
4cced7c39444bc55a0cd79b0384b24517e355e0d70ab20019af96f2a7c181cd8
DCRat
65dee75f5d4f0d7e0c1065a689ebe79f67c87a4d3d9654193164128e859a0ddd
DCRat
b88350726e9a1dc492b8fde7c03fdd0f5c7669b6919e1c25ddbcb8a69125c330
DCRat
cba27621d4b7c92fd50bf37135e150b45097ca9306061ed7049f802047bbd1b9
DCRat
f98183a2ad674f8aae6ad47e7da8b48c80175148ba333f0f57b3e6eca64bfaa6
DCRat
+ 153 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence spyware stealer
Link:
https://tria.ge/reports/210916-hjmwqscea5/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Process spawned unexpected child process
Unpacked files
SH256 hash:
2abc3c1d4c39afd9b3d85b433e5a0e52a788932caea11995a75b83671c44e456
MD5 hash:
98898d7b77cfb14353200cd81405a96f
SHA1 hash:
4187eb0e41e2c5a52b5382a390eecd56c88db1cd
Link:
https://www.unpac.me/results/7bcf627d-7661-4106-9214-0eba4222b55d/
SH256 hash:
1de4c9d7e20f503364620ddf3d6cb8912e3424f32a7a86094f17923815e53308
MD5 hash:
064a948ed34d938d4395b4bbdc80c337
SHA1 hash:
9587b651f65d306d64fa36299052060a7485ba28
Link:
https://www.unpac.me/results/7bcf627d-7661-4106-9214-0eba4222b55d/
SH256 hash:
8063623fd33585184e865ac1f8685446c819841d212bc6c848f8dc4a137960be
MD5 hash:
4abff34e351e4e95514aecb515e8aea3
SHA1 hash:
742702e8c78e7cf19f19e56a6cdb2d1811759710
Link:
https://www.unpac.me/results/7bcf627d-7661-4106-9214-0eba4222b55d/
SH256 hash:
c39d68efeada072170dc0be43e29b61f92cd62f70e3cc4ef31fd44d1aa44d5c0
MD5 hash:
a49a0cd6b6d0743d2517fd5abad4e0f6
SHA1 hash:
61df746feef76263877af36d1fe7c518090ff32b
Link:
https://www.unpac.me/results/7bcf627d-7661-4106-9214-0eba4222b55d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/c39d68efeada072170dc0be43e29b61f92cd62f70e3cc4ef31fd44d1aa44d5c0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/188318/

Comments