MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9db6874de4f8439448b1518ca66a3225df40b702882fc650dc5b64272131e70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c9db6874de4f8439448b1518ca66a3225df40b702882fc650dc5b64272131e70
SHA3-384 hash: 207654df472b60020000b6f1466b6a2261e09a65a8e33f032dcb9fcc22f13569626232b110372039d588c5596602de56
SHA1 hash: 04e848376d0c0e102895d272df1acdf1614728fe
MD5 hash: 350e09ae6984814cdd9dae2ffba31e56
humanhash: carpet-violet-triple-diet
File name:350e09ae6984814cdd9dae2ffba31e56.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'439'988 bytes
First seen:2024-02-19 00:30:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:y2G/nvxW3Ww0LmUgSc5LWuHQtDd88hkHqYnmwS5z:ybA3YLmrIe8yqYnFu
Threatray 18 similar samples on MalwareBazaar
TLSH T105656A02BE448E31F0191633C2EF451487B4AC106AA6E31B7EB9376E55223977DDDACB
TrID 76.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
16.5% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
3.0% (.EXE) Win64 Executable (generic) (10523/12/4)
1.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.2% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon f0cc82232792dcf0 (1 x DCRat)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://a0916796.xsph.ru/L1nc0In.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
411
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/476695/
Detection(s):
SecuriteInfo.com.VBS.Encrypted.Gen.UNOFFICIAL
Create hunting rule

Win.Trojan.Uztuby-9855059-0
Create hunting rule

Win.Ransomware.Clinix-9868408-0
Create hunting rule

Win.Packed.Msilmamut-9950860-0
Create hunting rule

Win.Packed.Basic-9952747-0
Create hunting rule

Win.Packed.Uztuby-9963900-0
Create hunting rule

Win.Packed.Uztuby-9969968-0
Create hunting rule

Win.Malware.Uztuby-9972880-0
Create hunting rule

Win.Trojan.DarkKomet-9976180-0
Create hunting rule

Win.Trojan.Uztuby-10010740-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Launching a process
Creating a file in the %temp% directory
Sending a UDP request
DNS request
Connection attempt
Sending a custom TCP request
Unauthorized injection to a recently created process
Blocking a possibility to launch for the Windows Task Manager (taskmgr)
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
alien anti-vm cmd cscript dcrat explorer fingerprint installer lolbin overlay packed prometheus schtasks setupapi sfx shdocvw shell32
Link:
https://www.filescan.io/uploads/65d2a146c5e1a083fbf119e6/reports/11454007-4c66-46d8-9cc9-bcd60586fc33/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/c9db6874de4f8439448b1518ca66a3225df40b702882fc650dc5b64272131e70
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6fc72b51-ff1d-4983-be71-8d1ba2cff610
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1394216
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Connects to a pastebin service (likely for C&C)
Creates processes via WMI
Disable Task Manager(disabletaskmgr)
Disables the Windows task manager (taskmgr)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Schedule system process
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1394216 Sample: fLIBsHI3HN.exe Startdate: 19/02/2024 Architecture: WINDOWS Score: 100 59 pastebin.com 2->59 61 a0916796.xsph.ru 2->61 65 Snort IDS alert for network traffic 2->65 67 Found malware configuration 2->67 69 Antivirus detection for dropped file 2->69 73 14 other signatures 2->73 10 fLIBsHI3HN.exe 3 6 2->10         started        13 rZiDNRUqDoYUHYLBv.exe 2->13         started        16 serverruntimeperf.exe 2->16         started        18 8 other processes 2->18 signatures3 71 Connects to a pastebin service (likely for C&C) 59->71 process4 file5 51 C:\blockbrokerDll\serverruntimeperf.exe, PE32 10->51 dropped 53 C:\blockbrokerDll\WCFZzEhXwNVWp.vbe, data 10->53 dropped 20 wscript.exe 1 10->20         started        89 Antivirus detection for dropped file 13->89 91 Multi AV Scanner detection for dropped file 13->91 93 Machine Learning detection for dropped file 13->93 signatures6 process7 signatures8 75 Windows Scripting host queries suspicious COM object (likely to drop second stage) 20->75 23 cmd.exe 1 20->23         started        process9 process10 25 serverruntimeperf.exe 1 18 23->25         started        29 reg.exe 23->29         started        31 conhost.exe 23->31         started        file11 43 C:\Windows\Media\Calligraphy\explorer.exe, PE32 25->43 dropped 45 C:\Windows\...\ctfmon.exe, PE32 25->45 dropped 47 C:\Users\Default\OneDrive\RuntimeBroker.exe, PE32 25->47 dropped 49 4 other malicious files 25->49 dropped 77 Antivirus detection for dropped file 25->77 79 Multi AV Scanner detection for dropped file 25->79 81 Machine Learning detection for dropped file 25->81 87 3 other signatures 25->87 33 ctfmon.exe 25->33         started        37 schtasks.exe 25->37         started        39 schtasks.exe 25->39         started        41 19 other processes 25->41 83 Disable Task Manager(disabletaskmgr) 29->83 85 Disables the Windows task manager (taskmgr) 29->85 signatures12 process13 dnsIp14 55 a0916796.xsph.ru 141.8.192.26, 49705, 49706, 49707 SPRINTHOSTRU Russian Federation 33->55 57 pastebin.com 104.20.68.143, 443, 49704 CLOUDFLARENETUS United States 33->57 63 Tries to harvest and steal browser information (history, passwords, etc) 33->63 signatures15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c9db6874de4f8439448b1518ca66a3225df40b702882fc650dc5b64272131e70
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c9db6874de4f8439448b1518ca66a3225df40b702882fc650dc5b64272131e70/
Threat name:
ByteCode-MSIL.Trojan.Uztuby
Create hunting rule
Status:
Malicious
First seen:
2024-02-12 18:23:33 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zhnwq5g6j6cdsrelcummuzvdejo7ic3qfcbpyzinyw3ee4qtdzya._file
Verdict:
malicious
Similar samples:
3e55b54015ebcc09dce584c6963caaa487f62492f015f7daa4c645bcb7bb1bcd
DCRat
417c9ed1b4c2d455f302dc83dd450cd9209e35f2c42ad5e3c3e2217fe7465ee2
DCRat
7fed6406da8c6fac0504f899f2d88cf18c82b40d10d28e0651d851aa8113a13b
DCRat
cf4efad0b9d74151b09be4acfb12d1aea2a9e316b97a2eb7f4ca8ac12b0e6d8c
DCRat
+ 8 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat evasion infostealer rat spyware stealer
Link:
https://tria.ge/reports/240219-at2tmsga2z/
Behaviour
Creates scheduled task(s)
Modifies registry class
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Disables Task Manager via registry modification
DCRat payload
DcRat
Process spawned unexpected child process
Unpacked files
SH256 hash:
270e4c9c272e76b067e85727fbd871ff65edc0ef837a9b80cfed84252203ffbd
MD5 hash:
c9618d3d5ba243b024fe41223ef625be
SHA1 hash:
626d260a95fbf0b8b2ace91b64d0c7aa294616bf
Link:
https://www.unpac.me/results/ba3dca1a-a04f-4e76-88af-92188b81452b/
SH256 hash:
afb86be372d2c862bee05d75bf3b5d141e7611d87184bdd0cfb4f01f0b74f48d
MD5 hash:
4cd9ff3063cf675879efa3a3dcd09bc5
SHA1 hash:
68122b5443f23cd2c5f88fb35762abcd85d39c43
Link:
https://www.unpac.me/results/ba3dca1a-a04f-4e76-88af-92188b81452b/
SH256 hash:
c9db6874de4f8439448b1518ca66a3225df40b702882fc650dc5b64272131e70
MD5 hash:
350e09ae6984814cdd9dae2ffba31e56
SHA1 hash:
04e848376d0c0e102895d272df1acdf1614728fe
Link:
https://www.unpac.me/results/ba3dca1a-a04f-4e76-88af-92188b81452b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c9db6874de4f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c9db6874de4f8439448b1518ca66a3225df40b702882fc650dc5b64272131e70

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/476695/

Comments