MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd44752a2e61a21cb5f01b7a791c60aee8b36c8a34b639ade2ce55f30054afe2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cd44752a2e61a21cb5f01b7a791c60aee8b36c8a34b639ade2ce55f30054afe2
SHA3-384 hash: 9d19b2fde6e2f4f7e2617d5c0dcbd00852ba3fe6920835a650c9f7ba18e9b31dcf122081452561e8b551fee430c838c8
SHA1 hash: 6975518892364b4c8b515ba3f7b1de813e464d4c
MD5 hash: ef499e7b36aaf873b5fc5c8dfcd0b402
humanhash: coffee-mobile-papa-moon
File name:ef499e7b36aaf873b5fc5c8dfcd0b402.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:2'060'765 bytes
First seen:2022-05-13 14:22:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 49152:J84EaM6LoINXP4/Te8Uqd7goi27tCOKeXszu/JWcWc:JGx6UuXPeNxeh27tCOKeIs
Threatray 1'681 similar samples on MalwareBazaar
TLSH T1379523037D9098B2CA310D365A28BF3164BDBE202F109EDBB3E46E5DD9711D1AB34667
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:DCRat exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
268
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/270448/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Creating a file
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/17554/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
dcrat greyware overlay packed setupapi.dll shdocvw.dll shell32.dll update.exe
Link:
https://www.filescan.io/uploads/627e69d07804b2efc4931612/reports/f878d14b-6505-40c9-9566-df9191e3ea75/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1ee30656-0e2a-4e2d-8cc9-af5e03e28d1b
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/993636
Signature
Antivirus detection for dropped file
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cd44752a2e61a21cb5f01b7a791c60aee8b36c8a34b639ade2ce55f30054afe2/
Threat name:
Win32.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2022-05-07 18:27:00 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
19 of 41 (46.34%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
6339a14fb049a069fed24b0a9827ab82710426e174139d172a6536bfb1519402
DCRat
6aae470221ba1879a26af8172df018f07eafa1f26857a8b33092b7da5582317c
DCRat
70da4cb906561579f992801bfce2c3f1daf01833b292a9bd04545b7e0ee49fbd
DCRat
7910bae57ea65b0389078fce2009e479c73546df088973cbfbd55a8b783f27e1
DCRat
7e4bc5c98691dd99d7c856dc26110113c15d72fb5b8a73db75a9c9b2bee021e2
DCRat
84f416154320af7571f93624d2005f846720a86c59a003ccf6939d3599b7e52c
DCRat
8bc0620aa9e06ff8861c9cbba4ea13329b42b13fe35c9ba35c30580cf27068b3
DCRat
bc7cbed34a28008fed6c5c7d7fea8658d4abeb1eff5b06e06a917680d5091fcf
DCRat
d8973dcdc7704e93175add543a41e8322bdb15c4f92b2fa642713ed09681ffad
DCRat
+ 1'671 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220513-rp4wwagdf6/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
c09d7b1ecf9dd4917c8f081132ac5c533bc326959505d7364aa546d4822e5c9c
MD5 hash:
60b6a611559a27f113b51c76733f26d0
SHA1 hash:
6dc70a539f0d1c8b9a84edef26c2bdf82bbfa098
Link:
https://www.unpac.me/results/e0c3f3be-8a08-42e3-8c0b-f90567e30a9c/
SH256 hash:
d5d4cb9208955402b539f24d77f3cd6a327afc9c11c062f175aea99ca0028a85
MD5 hash:
e2b2b430d522f300ad51f00e64d0e04d
SHA1 hash:
36695c6fbec355e31209c09790a30533b7e33937
Link:
https://www.unpac.me/results/e0c3f3be-8a08-42e3-8c0b-f90567e30a9c/
SH256 hash:
cd44752a2e61a21cb5f01b7a791c60aee8b36c8a34b639ade2ce55f30054afe2
MD5 hash:
ef499e7b36aaf873b5fc5c8dfcd0b402
SHA1 hash:
6975518892364b4c8b515ba3f7b1de813e464d4c
Link:
https://www.unpac.me/results/e0c3f3be-8a08-42e3-8c0b-f90567e30a9c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cd44752a2e61a21cb5f01b7a791c60aee8b36c8a34b639ade2ce55f30054afe2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/270448/

Comments