MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf84be2a0d26ffd76a445e6a288e1dc9d61ff01bd00e9c4dac583e86215c207f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 7


Intelligence 7 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf84be2a0d26ffd76a445e6a288e1dc9d61ff01bd00e9c4dac583e86215c207f
SHA3-384 hash: f7be67e21c1670a349e13a27bda69d19e291e6f4ad78e528927dd56ac7034de24350e5addc4ae1107a8823822262e769
SHA1 hash: 87c0d2ccbeae7fb343d74ea681e0a5b379c7f693
MD5 hash: f8025dea93783066a5ad550e835cb8f6
humanhash: tennis-item-crazy-jupiter
File name:F8025DEA93783066A5AD550E835CB8F6.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'261'056 bytes
First seen:2021-07-14 14:51:21 UTC
Last seen:2021-07-14 16:11:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:QGPvkUMqitSeaEtjxIYBd9VJrC6L5HW2YAMysN3hu:PPTMFtjxIy9Vwc7CyEhu
Threatray 6 similar samples on MalwareBazaar
TLSH T18545127B006554AAC6C81731F0740F0F7ABCDA351A80F5A9B00EB3AADD1D9AD96F8375
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://80.87.201.45/piperequestauth.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://80.87.201.45/piperequestauth.php https://threatfox.abuse.ch/ioc/160440/

Intelligence

File Origin
# of uploads :
2
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
F8025DEA93783066A5AD550E835CB8F6.exe
Verdict:
Malicious activity
Analysis date:
2021-07-14 14:59:31 UTC
Tags:
stealer evasion trojan rat backdoor dcrat
Link:
https://app.any.run/tasks/6197b501-98e4-46f4-a7d1-43d762e7a467

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/171702/
Detection(s):
SecuriteInfo.com.Variant.Razy.412818.2473.13891.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5322b7cc-4fb3-43cf-beee-a31819b18f7b
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/816312
Signature
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Schedule system process
Sigma detected: System File Execution Location Anomaly
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 448727 Sample: RuK243W4ZR.exe Startdate: 14/07/2021 Architecture: WINDOWS Score: 100 59 Found malware configuration 2->59 61 Antivirus detection for dropped file 2->61 63 Antivirus / Scanner detection for submitted sample 2->63 65 14 other signatures 2->65 8 RuK243W4ZR.exe 3 2->8         started        12 explorer.exe 3 2->12         started        14 fontdrvhost.exe 3 2->14         started        process3 file4 47 C:\Users\...\LuwzUUuwYjhmbtyhYAfVtpBc.exe, PE32 8->47 dropped 49 C:\Users\user\AppData\...\RuK243W4ZR.exe.log, ASCII 8->49 dropped 75 Detected unpacking (changes PE section rights) 8->75 16 LuwzUUuwYjhmbtyhYAfVtpBc.exe 1 16 8->16         started        77 Antivirus detection for dropped file 12->77 79 Multi AV Scanner detection for dropped file 12->79 81 Detected unpacking (overwrites its own PE header) 12->81 83 2 other signatures 12->83 signatures5 process6 file7 39 C:\Windows\winhlp32\explorer.exe, PE32 16->39 dropped 41 C:\Windows\System32\...\RuntimeBroker.exe, PE32 16->41 dropped 43 C:\ProgramData\Oracle\wermgr.exe, PE32 16->43 dropped 45 2 other malicious files 16->45 dropped 51 Antivirus detection for dropped file 16->51 53 Multi AV Scanner detection for dropped file 16->53 55 Detected unpacking (overwrites its own PE header) 16->55 57 6 other signatures 16->57 20 winlogon.exe 3 16->20         started        23 schtasks.exe 1 16->23         started        25 schtasks.exe 1 16->25         started        27 3 other processes 16->27 signatures8 process9 signatures10 67 Antivirus detection for dropped file 20->67 69 Multi AV Scanner detection for dropped file 20->69 71 Detected unpacking (overwrites its own PE header) 20->71 73 2 other signatures 20->73 29 conhost.exe 23->29         started        31 conhost.exe 25->31         started        33 conhost.exe 27->33         started        35 conhost.exe 27->35         started        37 conhost.exe 27->37         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cf84be2a0d26ffd76a445e6a288e1dc9d61ff01bd00e9c4dac583e86215c207f/
Threat name:
ByteCode-MSIL.Trojan.Razy
Create hunting rule
Status:
Malicious
First seen:
2021-07-10 08:58:03 UTC
AV detection:
14 of 46 (30.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=z6cl4kqne375o2selzvcrdq5zhlb74a32ahjytnmla7imik4eb7q._file
Verdict:
unknown
Similar samples:
27b1723e770a97166455a9b7edd4c7e3ee89ac046ef8dad51f7a48ac7c71c006
DCRat
54d7969a09d2ad3dcf82a96a0fce4e3fc5bbb6ee26d01a0b8517f364b5431217
DCRat
5b32b25c28c5b99c080f8b452c2b5b5e95d2d23432ea8191069f46f7b4835d44
DCRat
a9d6aa7ef3fde33eb2df6b9c3ec92965f066049cacba533ffc09a877133b809e
DCRat
c07d9b494ee6dad4baa8ad39b37af05488278e8823b81feab25f359ccdc390bd
DCRat
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/210714-q12r9t3les/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
55b310571379398671e9af50521142cebb345920d0b312ab95193a4120f5c245
MD5 hash:
7a7897fabb95b5a5fe7ee0d244db1499
SHA1 hash:
1d74c80f2b71b844cfd08a34b94d99b148eec27c
Link:
https://www.unpac.me/results/9db948c7-77d3-49e2-989d-fc69c00a65ea/
SH256 hash:
24fb77c7ecd664e70e64fd0b8032ce8a5baad32e3cf015de4bc3a5dd856f56f7
MD5 hash:
7e450d086157a598bc086492ea3e8f94
SHA1 hash:
0bde3d76a1539bd95ec490b8fbee382067fbf1bf
Link:
https://www.unpac.me/results/9db948c7-77d3-49e2-989d-fc69c00a65ea/
SH256 hash:
36ad9c0949b8de28c3bbfb4cfb42510748fb44411dfe3db53dab3a36869fd5ed
MD5 hash:
711afd5a0ff3ef6687ac25ec70c47064
SHA1 hash:
03db623e1147ddb4be17a62aef8050ef6dad9d49
Link:
https://www.unpac.me/results/9db948c7-77d3-49e2-989d-fc69c00a65ea/
SH256 hash:
9d9c8d5258f11efaaa4247945f4946a5bc7ae424789d69b0f4d03f263924d06a
MD5 hash:
352f9b21b7a37b7801cba2011298184a
SHA1 hash:
6191e07b51433ada275c4d5e2bb6492a889da85c
Link:
https://www.unpac.me/results/9db948c7-77d3-49e2-989d-fc69c00a65ea/
SH256 hash:
cf84be2a0d26ffd76a445e6a288e1dc9d61ff01bd00e9c4dac583e86215c207f
MD5 hash:
f8025dea93783066a5ad550e835cb8f6
SHA1 hash:
87c0d2ccbeae7fb343d74ea681e0a5b379c7f693
Link:
https://www.unpac.me/results/9db948c7-77d3-49e2-989d-fc69c00a65ea/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cf84be2a0d26ffd76a445e6a288e1dc9d61ff01bd00e9c4dac583e86215c207f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/171702/

Comments