MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9a69a518fddd5eb4740cf598af5e003297919dbe665652f33e36b81dff3868c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c9a69a518fddd5eb4740cf598af5e003297919dbe665652f33e36b81dff3868c
SHA3-384 hash: 880fe77e3219af76ba72a79ecb7094998c90e53674e347b6048e632e21880d331c6ab17e8e4f5dd988662ff09b3358ca
SHA1 hash: 1183ff85cb8c04526332201fd9fa350d625b2e21
MD5 hash: 0e035b1aaf6ff36416e60bf58c130cc4
humanhash: six-august-hawaii-burger
File name:0e035b1aaf6ff36416e60bf58c130cc4.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:2'659'280 bytes
First seen:2022-06-30 17:06:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d1de84e4e19e5a9cd49215329c1ce5ba (2 x DCRat, 2 x CoinMiner, 1 x AsyncRAT)
ssdeep 49152:wFg2ZcCBCgvXFfXuk2tkNDs4r0Ar5upLVvxO1gaws7fVYz0KfuO9ORz7f4dv:wGQcDgvVfXV2SMArjUEWz03iK7w
Threatray 879 similar samples on MalwareBazaar
TLSH T1B2C533153FE4C1F6C4C325B16A66271E23B6D63217A810C39B6C25108DB3ADD973E2F9
TrID 43.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
27.6% (.EXE) Win64 Executable (generic) (10523/12/4)
13.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) OS/2 Executable (generic) (2029/13)
5.2% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon c2e0b48666dadae2 (1 x DCRat)
Reporter abuse_ch
Tags:DCRat exe signed

Code Signing Certificate

Organisation:757e7yrdj57d7kudt
Issuer:757e7yrdj57d7kudt
Algorithm:sha512WithRSAEncryption
Valid from:2022-05-30T00:00:00Z
Valid to:2024-05-30T00:00:00Z
Serial number: 367ddb93098c7f59
Thumbprint Algorithm:SHA256
Thumbprint: 277f5e84ba4c2411f83cddd0c058cfea6f9e98f902f445385312be5186cdce77
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
DCRat C2:
http://87.251.77.45/multiprotonCdngame/Python/UpdateHttp/jsServer/5Videopacket/Update/4wp/Update/Private3lineexternal/Local5/datalife5Temporary/test0/testUploads_/9/TemporaryAsyncLinuxProtect/requestAuth55/UniversalUploadsGeneratorLongpoll/providerVideoPythonWindowsuploads.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://87.251.77.45/multiprotonCdngame/Python/UpdateHttp/jsServer/5Videopacket/Update/4wp/Update/Private3lineexternal/Local5/datalife5Temporary/test0/testUploads_/9/TemporaryAsyncLinuxProtect/requestAuth55/UniversalUploadsGeneratorLongpoll/providerVideoPythonWindowsuploads.php https://threatfox.abuse.ch/ioc/742729/

Intelligence

File Origin
# of uploads :
1
# of downloads :
242
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/284650/
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.16145.5991.12449.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Moving a file to the %temp% subdirectory
Creating a process from a recently created file
Replacing files
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the Program Files subdirectories
Sending a custom TCP request
Creating a file in the Windows subdirectories
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/23108/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
keylogger overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62bdd83c82a67b6740e2c6bb/reports/59d7a44d-32aa-4dc9-9922-771819e56dc5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/03723585-e7aa-41eb-938e-3df7a15f8023
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1022749
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Antivirus detection for dropped file
Contains functionality to register a low level keyboard hook
Creates processes via WMI
Drops executable to a common third party application directory
Drops PE files to the user root directory
Drops PE files with benign system names
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 655244 Sample: X8nFfIZyVA.exe Startdate: 30/06/2022 Architecture: WINDOWS Score: 100 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus detection for dropped file 2->45 47 Multi AV Scanner detection for dropped file 2->47 49 7 other signatures 2->49 7 X8nFfIZyVA.exe 8 2->7         started        11 rFkSQlIJbRGzUXVeriyXylukrFV.exe 3 2->11         started        13 rFkSQlIJbRGzUXVeriyXylukrFV.exe 2 2->13         started        15 18 other processes 2->15 process3 file4 39 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32+ 7->39 dropped 41 C:\Users\user\AppData\Local\Temp\...\7z.dll, PE32+ 7->41 dropped 59 Contains functionality to register a low level keyboard hook 7->59 17 cmd.exe 2 7->17         started        signatures5 process6 process7 19 Mssvc.exe 1 40 17->19         started        23 7z.exe 2 17->23         started        25 7z.exe 3 17->25         started        27 4 other processes 17->27 file8 29 C:\Users\Public\Pictures\ctfmon.exe, PE32 19->29 dropped 31 C:\Users\Public\Music\dwm.exe, PE32 19->31 dropped 33 C:\Users\Default\csrss.exe, PE32 19->33 dropped 37 15 other files (12 malicious) 19->37 dropped 51 Drops PE files to the user root directory 19->51 53 Creates processes via WMI 19->53 55 Drops PE files with benign system names 19->55 57 Drops executable to a common third party application directory 19->57 35 C:\Users\user\AppData\Local\...\Mssvc.exe, PE32 23->35 dropped signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c9a69a518fddd5eb4740cf598af5e003297919dbe665652f33e36b81dff3868c/
Threat name:
ByteCode-MSIL.Backdoor.DCRat
Create hunting rule
Status:
Malicious
First seen:
2022-06-24 22:33:32 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zgtjuump3xk6wr2az5myv5paamuxsgo34zswklzt4nvydx7tq2ga._file
Verdict:
malicious
Similar samples:
07aa701aa9a0d572db1b8b9d9b3ea748c5d62aa88efa13019bf9aa45c9063f5d
DCRat
1460c862ed99f46ed0a803a546a1e832e0fb623c8979da0c9a305fa6480c2102
DCRat
46de8f7362971390c40f26d102a521d17d4aa6a8ab3d14b8e08b81610a691cac
DCRat
92f8e37e5ef9e822c86f385e482f8a20de4da03d6f1e23739111214c5774319a
DCRat
dc18180ca0499d12d89f868f2ee5e7b1b2dbbc2c552adc243c67263d03db63f5
DCRat
+ 869 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer rat suricata
Link:
https://tria.ge/reports/220630-vmy5dsfba6/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
DCRat Payload
DcRat
Process spawned unexpected child process
suricata: ET MALWARE DCRAT Activity (GET)
Unpacked files
SH256 hash:
516b8c03c6d17d92c80bce447128414dd3f0a0e0c00ff4157af1523170dd5953
MD5 hash:
d7c6b1fc37ac678453894b4cedc551c8
SHA1 hash:
47a611f9b86ea3b7c6c79fc28c22d4063bf1a14d
Link:
https://www.unpac.me/results/0f823e66-bee1-4ca3-8b2e-4995a9033090/
SH256 hash:
c9a69a518fddd5eb4740cf598af5e003297919dbe665652f33e36b81dff3868c
MD5 hash:
0e035b1aaf6ff36416e60bf58c130cc4
SHA1 hash:
1183ff85cb8c04526332201fd9fa350d625b2e21
Link:
https://www.unpac.me/results/0f823e66-bee1-4ca3-8b2e-4995a9033090/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DCRat
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c9a69a518fddd5eb4740cf598af5e003297919dbe665652f33e36b81dff3868c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/284650/

Comments