MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb876d17714563ab91449a20ca5c8dc8887b88cdc173067239c34805a096a237. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb876d17714563ab91449a20ca5c8dc8887b88cdc173067239c34805a096a237
SHA3-384 hash: d8941e483adbcb12df29edf038262028f6e492404523d2c40f09bdadfb5776200b3e8879aba7a4744c6f21fce5258bc6
SHA1 hash: a0cfe8cd7c4147731f6594dd0342bb0d9ad8fdc5
MD5 hash: 20af4c29ba1c8ced4a86fc73c0ad7b7c
humanhash: skylark-romeo-kentucky-berlin
File name:20af4c29ba1c8ced4a86fc73c0ad7b7c.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:3'325'952 bytes
First seen:2023-07-11 10:05:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 140094f13383e9ae168c4b35b6af3356 (32 x DCRat, 11 x CoinMiner, 10 x njrat)
ssdeep 49152:CkgWW0Ryb/CM4U4Ypahk+VQoNwqAvxbE1RJ:Cp5LB4Yp/wQkIZ4
Threatray 809 similar samples on MalwareBazaar
TLSH T1C6F53305B6DBD87CEE5CE6BB12061BECDD642945F1DA94E5831DC383A4396F081EB0AC
TrID 32.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.8% (.EXE) Win32 Executable (generic) (4505/5/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 30e0f8f0f0f4f890 (1 x DCRat)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://cb38900.tw1.ru/_Defaultwindows.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
285
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
20af4c29ba1c8ced4a86fc73c0ad7b7c.exe
Verdict:
Malicious activity
Analysis date:
2023-07-11 10:07:12 UTC
Tags:
evasion rat backdoor dcrat
Link:
https://app.any.run/tasks/47592a9c-6ed6-4c27-b294-9286a4a5bc2c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/415458/
Detection(s):
SecuriteInfo.com.Heur.Conjar.2.2898.13478.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Sending a custom TCP request
Creating a window
Searching for synchronization primitives
Running batch commands
Searching for analyzing tools
Creating a file in the Program Files subdirectories
DNS request
Using the Windows Management Instrumentation requests
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/97126/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64ad298b6e9f7019de9f2b2d/reports/3c8bd889-ff3b-4b3b-9253-75ae170072ec/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/cb876d17714563ab91449a20ca5c8dc8887b88cdc173067239c34805a096a237
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/53c005eb-269e-47bf-ade3-8adfc21b2f5e
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1270749
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1270749 Sample: NGtgk48apc.exe Startdate: 11/07/2023 Architecture: WINDOWS Score: 100 67 Snort IDS alert for network traffic 2->67 69 Found malware configuration 2->69 71 Antivirus / Scanner detection for submitted sample 2->71 73 11 other signatures 2->73 10 NGtgk48apc.exe 3 2->10         started        13 wqkVlFqJLIWLJuuSQG.exe 2->13         started        16 spoolsv.exe 2->16         started        18 11 other processes 2->18 process3 file4 51 C:\Users\user\AppData\...\fast1nject.exe, PE32 10->51 dropped 53 C:\Users\user\AppData\Local\Temp\1.sfx.exe, PE32 10->53 dropped 20 1.sfx.exe 9 10->20         started        24 fast1nject.exe 15 3 10->24         started        89 Antivirus detection for dropped file 13->89 91 Multi AV Scanner detection for dropped file 13->91 93 May check the online IP address of the machine 13->93 101 2 other signatures 13->101 95 Detected unpacking (changes PE section rights) 16->95 97 Machine Learning detection for dropped file 16->97 99 Hides threads from debuggers 16->99 signatures5 process6 dnsIp7 49 C:\Users\user\AppData\Local\Temp\1.exe, PE32 20->49 dropped 83 Multi AV Scanner detection for dropped file 20->83 27 cmd.exe 1 20->27         started        61 raw.githubusercontent.com 185.199.108.133, 443, 49692 FASTLYUS Netherlands 24->61 63 cdn.discordapp.com 162.159.133.233, 443, 49693 CLOUDFLARENETUS United States 24->63 65 192.168.2.1 unknown unknown 24->65 85 Machine Learning detection for dropped file 24->85 file8 signatures9 process10 process11 29 1.exe 8 27->29         started        33 conhost.exe 27->33         started        file12 55 C:\Users\user\...\reviewref_protected.exe, PE32 29->55 dropped 103 Multi AV Scanner detection for dropped file 29->103 35 reviewref_protected.exe 1 10 29->35         started        signatures13 process14 file15 43 C:\Windows\SKB\...\wqkVlFqJLIWLJuuSQG.exe, PE32 35->43 dropped 45 C:\Windows\PLA\Reports\en-US\spoolsv.exe, PE32 35->45 dropped 47 C:\Recovery\wqkVlFqJLIWLJuuSQG.exe, PE32 35->47 dropped 75 Antivirus detection for dropped file 35->75 77 Multi AV Scanner detection for dropped file 35->77 79 Detected unpacking (changes PE section rights) 35->79 81 5 other signatures 35->81 39 wqkVlFqJLIWLJuuSQG.exe 35->39         started        signatures16 process17 dnsIp18 57 cb38900.tw1.ru 185.114.247.232, 49694, 49696, 49697 TIMEWEB-ASRU Russian Federation 39->57 59 ipinfo.io 34.117.59.81, 443, 49695 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 39->59 87 Hides threads from debuggers 39->87 signatures19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cb876d17714563ab91449a20ca5c8dc8887b88cdc173067239c34805a096a237/
Threat name:
Win32.Hacktool.Pucrpt
Create hunting rule
Status:
Malicious
First seen:
2023-07-07 05:56:33 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
20 of 24 (83.33%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zodw2f3rivr2xeketiqmuxenzcehxcgnyfzqm4rzynealiewui3q._file
Verdict:
malicious
Similar samples:
06b3dc3c5631305376784eff267f46077c092b0d1a988cc28486352facc0fc2d
DCRat
30f91a9f411187ee24ea1a19d9043c4065707e7c6754c96a8c7ad1fb18ce0d67
DCRat
33e686777d4e60947c1bc7d7743f006901dd209ae7fa9c6bd3d758dfc9b0aafc
DCRat
36194d07ea9897f2276215a1361291ba8e32843caf3056b4f096c213b1bfadb3
DCRat
5250a7d14874c55bebe18f783f9534fae7a79174fdd93efa5a96e079dcaefe83
DCRat
5ee5e591bb2ef8a32f74e08936129f473c1d66a9c61ca454ad86fd6c9a3451d0
DCRat
67eeefd5e0497fbdc04b51cfbb76efae169c3875c67620ebaa13c62ece5edf15
DCRat
bfbf48fb4dd150dbc6c34b309dc308326a5b9ab40defafbe32060236243fe8ba
DCRat
fba557d1ea30dc5810637b80408cc8d6491f33e5cb4def703f2b3413d476d93d
DCRat
+ 799 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer rat
Link:
https://tria.ge/reports/230711-l43dpshd3w/
Behaviour
Creates scheduled task(s)
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
DCRat payload
DcRat
Process spawned unexpected child process
Unpacked files
SH256 hash:
adda97b3b97b69e4674071fa3ecded334db3fe15fbd21d1d1805a351f91ae67c
MD5 hash:
1c59ddc00151dd04f42ed40265635491
SHA1 hash:
e1b4b117b65aa5267ffb8c08e088126b4e6d3c94
Link:
https://www.unpac.me/results/f439a99a-b76b-41d7-949d-2df09c586eb8/
SH256 hash:
8e62f40826e586880f98d842498b3416474c09eff700a0822292d62f7cb1f78c
MD5 hash:
6608aa0d66806bd7d5e38bdf0590b772
SHA1 hash:
48923c114d373de89d8be85b56039a22c435d1ce
Link:
https://www.unpac.me/results/f439a99a-b76b-41d7-949d-2df09c586eb8/
SH256 hash:
adda97b3b97b69e4674071fa3ecded334db3fe15fbd21d1d1805a351f91ae67c
MD5 hash:
1c59ddc00151dd04f42ed40265635491
SHA1 hash:
e1b4b117b65aa5267ffb8c08e088126b4e6d3c94
Link:
https://www.unpac.me/results/f439a99a-b76b-41d7-949d-2df09c586eb8/
SH256 hash:
8e62f40826e586880f98d842498b3416474c09eff700a0822292d62f7cb1f78c
MD5 hash:
6608aa0d66806bd7d5e38bdf0590b772
SHA1 hash:
48923c114d373de89d8be85b56039a22c435d1ce
Link:
https://www.unpac.me/results/f439a99a-b76b-41d7-949d-2df09c586eb8/
SH256 hash:
cb876d17714563ab91449a20ca5c8dc8887b88cdc173067239c34805a096a237
MD5 hash:
20af4c29ba1c8ced4a86fc73c0ad7b7c
SHA1 hash:
a0cfe8cd7c4147731f6594dd0342bb0d9ad8fdc5
Link:
https://www.unpac.me/results/f439a99a-b76b-41d7-949d-2df09c586eb8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cb876d177145/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule
Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/415458/

Comments