MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d00de0e51425c7c5ac7fe5790a5f13baceef07db80aa43771efd4926347541d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d00de0e51425c7c5ac7fe5790a5f13baceef07db80aa43771efd4926347541d3
SHA3-384 hash: 6240aa813460ce3006733f9cc0c1c43d49207d56648ddcc687c8f4b81f26924910fccacc20f1691aed90a7643d90b4d3
SHA1 hash: 163e2e75178ce9a4d460a3225bfe22bf62672b83
MD5 hash: b2812c4b8b9e48aa63446353d20e3cde
humanhash: venus-princess-twenty-hotel
File name:b2812c4b8b9e48aa63446353d20e3cde.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'270'318 bytes
First seen:2022-01-02 15:40:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:U2G/nvxW3Ww0tqGuopSo+MGb+kMIFWL6UA+4o:UbA30qGhIoX9v
Threatray 1'200 similar samples on MalwareBazaar
TLSH T1A24538037A48D911D0291A37CAEF912447BCBE017A23DB1A7E9F33AD65513A35D0E6CE
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://185.43.7.237/base/4Server/asyncrequesttrafficDefault/Bigload4/python/External/secureDatalife/auth/PythonProcessor.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.43.7.237/base/4Server/asyncrequesttrafficDefault/Bigload4/python/External/secureDatalife/auth/PythonProcessor.php https://threatfox.abuse.ch/ioc/290546/

Intelligence

File Origin
# of uploads :
1
# of downloads :
298
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b2812c4b8b9e48aa63446353d20e3cde.exe
Verdict:
No threats detected
Analysis date:
2022-01-02 15:43:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4879ffbe-64cb-439e-a6ab-28ce4e6db902

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/217082/
Detection(s):
Win.Malware.Uztuby-9848412-0
Create hunting rule

Win.Packed.Uztuby-9851623-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the Windows directory
Creating a process from a recently created file
DNS request
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Creating a file
Using the Windows Management Instrumentation requests
Launching a process
Creating a file in the system32 subdirectories
Creating a file in the Program Files subdirectories
Creating a file in the Windows subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3685/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
bladabindi greyware overlay packed packed
Link:
https://www.filescan.io/uploads/61d1c790ec6c6c14a905be00/reports/02b1f0c6-3bf8-44fd-b8f2-72a3dd6c25c2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a0b7a50b-e7aa-44ea-9e1a-c4092c181712
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/914650
Signature
Creates an autostart registry key pointing to binary in C:\Windows
Creates multiple autostart registry keys
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 547128 Sample: FPm57Whb1x.exe Startdate: 02/01/2022 Architecture: WINDOWS Score: 96 44 Found malware configuration 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected DCRat 2->48 50 Uses schtasks.exe or at.exe to add and modify task schedules 2->50 9 FPm57Whb1x.exe 3 6 2->9         started        12 spoolsv.exe 3 2->12         started        15 schtasks.exe 2->15         started        17 10 other processes 2->17 process3 file4 34 C:\Windows\DirectX.exe, PE32 9->34 dropped 19 wscript.exe 1 9->19         started        62 Multi AV Scanner detection for dropped file 12->62 21 conhost.exe 15->21         started        signatures5 process6 process7 23 cmd.exe 1 19->23         started        signatures8 52 Drops executables to the windows directory (C:\Windows) and starts them 23->52 26 DirectX.exe 7 22 23->26         started        30 conhost.exe 23->30         started        process9 file10 36 C:\...\ACdgWSnvCxZoOpEVPcZTNyBK.exe, PE32 26->36 dropped 38 C:\PerfLogs\spoolsv.exe, PE32 26->38 dropped 40 C:\Windows\...\ShellExperienceHost.exe, PE32 26->40 dropped 42 4 other files (none is malicious) 26->42 dropped 54 Creates multiple autostart registry keys 26->54 56 Creates an autostart registry key pointing to binary in C:\Windows 26->56 58 Creates processes via WMI 26->58 60 Drops PE files with benign system names 26->60 32 ACdgWSnvCxZoOpEVPcZTNyBK.exe 2 26->32         started        signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d00de0e51425c7c5ac7fe5790a5f13baceef07db80aa43771efd4926347541d3/
Threat name:
ByteCode-MSIL.Trojan.Uztuby
Create hunting rule
Status:
Malicious
First seen:
2021-12-31 00:47:46 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
19 of 43 (44.19%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ag6bziuexd4lld74v4quxytxlho6b63qcveg5y67vesmndvihjq._file
Verdict:
malicious
Similar samples:
0757a3b97f39c1d8a6c3d94770762a3912304cfaffa0330761945acd7f236213
DCRat
0e439b622658ab71228c7388ec456c7baf041046d7eff1a37bc9c02177c324ed
DCRat
19f71da28ebab8fe7256a657c603698ad607a7273e85d0e8b107269643cfa5dd
DCRat
5487f2263ad9238d80e7db399d980f1bb66c1c5b43d5595165e097ee385ddb53
DCRat
6923f777931474820c95c6efa6229ecfa4d03409435f1509d196cff7c4289043
DCRat
82c13c95753cdc1d550278176ce8347822d3d08d4e1b1df3c66c9fcbdfe2bf5d
DCRat
99b234ed5fcab5f1e2ebbc0a26fd5e94a3efa69fadb275065592ea7cba636e16
DCRat
b88350726e9a1dc492b8fde7c03fdd0f5c7669b6919e1c25ddbcb8a69125c330
DCRat
cba27621d4b7c92fd50bf37135e150b45097ca9306061ed7049f802047bbd1b9
DCRat
da685aede35b040929ea3cd659e921c89fe64e93551a94440ec7f9f8b1f85802
DCRat
+ 1'190 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence spyware stealer
Link:
https://tria.ge/reports/220102-s4rqjaaeg5/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Reads user/profile data of web browsers
Executes dropped EXE
Process spawned unexpected child process
Unpacked files
SH256 hash:
3824026853f49abbaf29d6c42f55c3fa0a64d4002d3b33488626ebaa8563a135
MD5 hash:
254c2f6596fc70b9022a48ae25f7d0b0
SHA1 hash:
15f10e52c4f28a7b70bce699b21ccc392d15934e
Link:
https://www.unpac.me/results/3f4a42f7-1407-4e57-b0fc-c9e225b342eb/
SH256 hash:
d00de0e51425c7c5ac7fe5790a5f13baceef07db80aa43771efd4926347541d3
MD5 hash:
b2812c4b8b9e48aa63446353d20e3cde
SHA1 hash:
163e2e75178ce9a4d460a3225bfe22bf62672b83
Link:
https://www.unpac.me/results/3f4a42f7-1407-4e57-b0fc-c9e225b342eb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d00de0e51425c7c5ac7fe5790a5f13baceef07db80aa43771efd4926347541d3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/217082/

Comments