MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c98e35ff05689705117dbb7e36e58f1237f08df30637132d6e2106db1bddff77. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c98e35ff05689705117dbb7e36e58f1237f08df30637132d6e2106db1bddff77
SHA3-384 hash: a3c0e0721519336752cd892e06de6158c61cf6c1c7db75b083a04cb7fe0c0f8b75873e9ba0dd1c610917da9e358e579a
SHA1 hash: 4e8a3b17d01b386e0e1442ae05d885168c1206e4
MD5 hash: 09e9cefb358c55b03e898488f8d052df
humanhash: king-uniform-queen-tennis
File name:c98e35ff05689705117dbb7e36e58f1237f08df306371.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:8'213'128 bytes
First seen:2023-01-24 18:15:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0b5552dccd9d0a834cea55c0c8fc05be (16 x LunaLogger, 16 x BlankGrabber, 8 x CrealStealer)
ssdeep 196608:W5YhQECsXDjpf3ZkJMFEAJX8JvC/UcwCK:8YhQECENZkcJVw
Threatray 6'452 similar samples on MalwareBazaar
TLSH T1ED86335991A048B5EDF70DFFF4800611CABA3C320765C7871F6575C65EA3FA92E2AB80
TrID 90.1% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
4.8% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.9% (.EXE) OS/2 Executable (generic) (2029/13)
0.9% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 6096616931641820 (1 x DCRat)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://178.250.158.26/protectGame/0To31/4/Protect/dleLongpoll/CentralrequestLocal/UniversalbigloadLow8/local/Downloadseternal/longpollProcessor_/lowgenerator.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
238
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c98e35ff05689705117dbb7e36e58f1237f08df306371.exe
Verdict:
Malicious activity
Analysis date:
2023-01-24 18:19:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/be5e6df8-e4ee-415a-ab13-fc17b49c86cb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/356495/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file
Running batch commands
Searching for the window
Creating a process from a recently created file
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Creating a process with a hidden window
Creating a file in the Program Files subdirectories
Using the Windows Management Instrumentation requests
Launching a process
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/62816/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
dcrat greyware overlay packed
Link:
https://www.filescan.io/uploads/63d02063905a5ac3b908a181/reports/306c9ba8-c60c-4266-b814-93418d76f3bf/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
ElevenClock
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/aac8be44-835b-4850-a5fa-64806ea1e9b2
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
87 / 100
Link:
https://www.joesandbox.com/analysis/1158187
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 790933 Sample: c98e35ff05689705117dbb7e36e... Startdate: 24/01/2023 Architecture: WINDOWS Score: 87 95 Snort IDS alert for network traffic 2->95 97 Antivirus detection for dropped file 2->97 99 Multi AV Scanner detection for dropped file 2->99 101 9 other signatures 2->101 12 c98e35ff05689705117dbb7e36e58f1237f08df306371.exe 15 2->12         started        15 schtasks.exe 2->15         started        17 schtasks.exe 2->17         started        19 11 other processes 2->19 process3 file4 79 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 12->79 dropped 81 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 12->81 dropped 83 C:\Users\user\AppData\Local\...\python39.dll, PE32+ 12->83 dropped 85 9 other malicious files 12->85 dropped 21 c98e35ff05689705117dbb7e36e58f1237f08df306371.exe 2 12->21         started        process5 file6 67 C:\main1.exe, PE32 21->67 dropped 69 C:\main.exe, PE32 21->69 dropped 24 cmd.exe 1 21->24         started        26 cmd.exe 1 21->26         started        28 schtasks.exe 21->28         started        process7 process8 30 main.exe 3 11 24->30         started        34 conhost.exe 24->34         started        36 main1.exe 7 26->36         started        38 conhost.exe 26->38         started        file9 87 C:\Users\user\AppData\...\Agentbrokerhost.exe, PE32 30->87 dropped 89 C:\Users\user\...\tSkbM8Kgd45HNZU2lIsTAW.vbe, data 30->89 dropped 115 Antivirus detection for dropped file 30->115 117 Machine Learning detection for dropped file 30->117 40 wscript.exe 1 30->40         started        44 wscript.exe 30->44         started        46 wscript.exe 36->46         started        48 wscript.exe 36->48         started        signatures10 process11 dnsIp12 93 192.168.2.1 unknown unknown 40->93 109 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 40->109 111 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 40->111 113 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 40->113 50 cmd.exe 1 40->50         started        52 cmd.exe 46->52         started        signatures13 process14 process15 54 Agentbrokerhost.exe 1 11 50->54         started        58 conhost.exe 50->58         started        60 conhost.exe 52->60         started        62 Agentbrokerhost.exe 52->62         started        file16 71 C:\Windows\Web\...\RuntimeBroker.exe, PE32 54->71 dropped 73 C:\Users\user\...\ZTrGJQOYOTsRwBMNehNzKsP.exe, PE32 54->73 dropped 75 C:\MSOCache\...\ShellExperienceHost.exe, PE32 54->75 dropped 77 C:\MSOCache\...\ZTrGJQOYOTsRwBMNehNzKsP.exe, PE32 54->77 dropped 103 Antivirus detection for dropped file 54->103 105 Machine Learning detection for dropped file 54->105 107 Creates processes via WMI 54->107 64 ZTrGJQOYOTsRwBMNehNzKsP.exe 54->64         started        signatures17 process18 dnsIp19 91 178.250.158.26, 49723, 49725, 49726 THEFIRST-ASRU Russian Federation 64->91
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c98e35ff05689705117dbb7e36e58f1237f08df30637132d6e2106db1bddff77/
Threat name:
Win64.Trojan.DelFile
Create hunting rule
Status:
Malicious
First seen:
2023-01-22 02:13:09 UTC
File Type:
PE+ (Exe)
Extracted files:
279
AV detection:
10 of 38 (26.32%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zghdl7yfnclqkel5xn7dnzmpci37bdptay3rglloeednwg65753q._file
Verdict:
malicious
Similar samples:
55800bd922435a6dc26668218f232cf3c5533872e876b4aa53362a657d155e47
DCRat
6367ba7e45c187cabf91fac6fa63d42ff02e329882788452386e5e487cdd85eb
DCRat
840cf44c6fe52b883a3ebb5cbdd0a3705ffb661109265fbf68a1330266fd6cc6
DCRat
b171ce02608257ab163b0dcdf443a91a41ffe02e2c74597cdb829f5088a7ca94
DCRat
da836408b89e756bd33aed58103d85199671e6fa41ded4d2247bf189b29c6f14
DCRat
e0b5142a0af8f9cf06f8e7cb073828711c38a9c47a906d820300d79a7dbce186
DCRat
f63dc116cf6f2bf6c2f33898d73ef0b974ed3fa9de67d840b50b35ee2d9390d9
DCRat
+ 6'442 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer pyinstaller rat spyware stealer
Link:
https://tria.ge/reports/230124-wwfvvada67/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
DCRat payload
DcRat
Process spawned unexpected child process
Unpacked files
SH256 hash:
c98e35ff05689705117dbb7e36e58f1237f08df30637132d6e2106db1bddff77
MD5 hash:
09e9cefb358c55b03e898488f8d052df
SHA1 hash:
4e8a3b17d01b386e0e1442ae05d885168c1206e4
Link:
https://www.unpac.me/results/f7b33544-f4f8-4ffe-a611-9942e8bbf2be/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c98e35ff0568/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c98e35ff05689705117dbb7e36e58f1237f08df30637132d6e2106db1bddff77

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/356495/

Comments