MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db81002b2874cdc20123a6a943df0338386b945ebca26f3ff37ef071df59bd5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db81002b2874cdc20123a6a943df0338386b945ebca26f3ff37ef071df59bd5d
SHA3-384 hash: ced8342f4478aed86c7503efa2ee11266b7b16cce3f791b9cf060487992b49877b7d59c2e0d886d2bf5d42dc62516080
SHA1 hash: 076e53a2c72424d8b55d839a662ad2738b5f8bd1
MD5 hash: a00b9106e0e0edaa5e6540711d67d08a
humanhash: carpet-mike-sweet-jig
File name:a00b9106e0e0edaa5e6540711d67d08a.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'389'241 bytes
First seen:2021-10-23 10:20:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:U2G/nvxW3Ww0t5N7MCHS/+tqnmJZqmsIma/59qihru6Lc+4p:UbA30jMAl74mHWiBbc
Threatray 976 similar samples on MalwareBazaar
TLSH T10E556B017A84ED1AD12D1637D5EF445443BCFD012A62CB1B7EAE336D68913A25E0E6CF
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://82.146.56.184/wp-admin/modules/PhpRequestsecureTestwordpress.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://82.146.56.184/wp-admin/modules/PhpRequestsecureTestwordpress.php https://threatfox.abuse.ch/ioc/236784/

Intelligence

File Origin
# of uploads :
1
# of downloads :
659
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Dcrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/199569/
Detection(s):
Win.Malware.Uztuby-9848412-0
Create hunting rule

Win.Packed.Uztuby-9851623-0
Create hunting rule

Win.Trojan.Uztuby-9855059-0
Create hunting rule

Win.Ransomware.Clinix-9868408-0
Create hunting rule

Win.Packed.Uztuby-9875336-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed packed
Link:
https://www.filescan.io/uploads/6174f66fa9d585e6d53702ee/reports/8faf3e1f-970a-438f-b03e-7e97ca25d6e9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8a767219-8ca0-49a0-b192-adf546ee6138
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/875656
Signature
Creates an autostart registry key pointing to binary in C:\Windows
Creates files inside the volume driver (system volume information)
Creates multiple autostart registry keys
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
System process connects to network (likely due to code injection or exploit)
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 508089 Sample: MoNWo1JMCk.exe Startdate: 23/10/2021 Architecture: WINDOWS Score: 100 60 Multi AV Scanner detection for dropped file 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 Yara detected DCRat 2->64 66 Drops executables to the windows directory (C:\Windows) and starts them 2->66 9 MoNWo1JMCk.exe 3 6 2->9         started        12 cmd.exe 3 2->12         started        15 cmd.exe 2->15         started        18 10 other processes 2->18 process3 dnsIp4 56 C:\...\fontreviewwinsvcrefPerfdll.exe, PE32 9->56 dropped 20 wscript.exe 1 9->20         started        78 Multi AV Scanner detection for dropped file 12->78 80 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->80 82 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 12->82 84 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 12->84 58 82.146.56.184, 49756, 49786, 49787 THEFIRST-ASRU Russian Federation 15->58 22 cmd.exe 15->22         started        86 System process connects to network (likely due to code injection or exploit) 18->86 25 svchost.exe 18->25 injected 27 cmd.exe 18->27         started        file5 signatures6 process7 signatures8 29 cmd.exe 1 20->29         started        68 Drops executables to the windows directory (C:\Windows) and starts them 22->68 31 conhost.exe 22->31         started        33 cmd.exe 22->33         started        35 consent.exe 25->35         started        37 conhost.exe 27->37         started        process9 process10 39 fontreviewwinsvcrefPerfdll.exe 6 20 29->39         started        43 conhost.exe 29->43         started        file11 48 C:\Windows\SystemApps\...\SearchUI.exe, PE32 39->48 dropped 50 C:\Windows\System32\pnpts\spoolsv.exe, PE32 39->50 dropped 52 C:\Windows\System32\FluencyDS\dllhost.exe, PE32 39->52 dropped 54 3 other malicious files 39->54 dropped 70 Multi AV Scanner detection for dropped file 39->70 72 Creates files inside the volume driver (system volume information) 39->72 74 Creates multiple autostart registry keys 39->74 76 4 other signatures 39->76 45 SearchUI.exe 2 39->45         started        signatures12 process13 signatures14 88 Multi AV Scanner detection for dropped file 45->88
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/db81002b2874cdc20123a6a943df0338386b945ebca26f3ff37ef071df59bd5d/
Threat name:
ByteCode-MSIL.Trojan.Stelega
Create hunting rule
Status:
Malicious
First seen:
2021-10-16 05:59:54 UTC
AV detection:
23 of 45 (51.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3oaqakziotg4eajdu2uuhxydha4gxfc6xsrg6p7tp3yhdx2zxvoq._file
Verdict:
malicious
Similar samples:
2f09f4d2b8e06f116dd784829712dcd3bb9528e580ccf6313e4c99fbb89a7792
DCRat
45790bd0bb5eef4380c93de089dd9bf9b137a70bdc2f78e976919b6dd4b6bb2b
DCRat
4cced7c39444bc55a0cd79b0384b24517e355e0d70ab20019af96f2a7c181cd8
DCRat
51b8434c68594113a4036358e477fe1ae1b4cc0b99d653b224250e24537d87e2
DCRat
6923f777931474820c95c6efa6229ecfa4d03409435f1509d196cff7c4289043
DCRat
8d7228ae5c573a10f0e86fc84ca9c5d6e1894428af1b582fdb54f6caf446bf3c
DCRat
95155b1eb26b2f4d548de9b64239aa4339c191a56b9f1e61697351dced1c9bc7
DCRat
99b234ed5fcab5f1e2ebbc0a26fd5e94a3efa69fadb275065592ea7cba636e16
DCRat
+ 966 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence spyware stealer
Link:
https://tria.ge/reports/211023-mdncjaccd3/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Process spawned unexpected child process
Unpacked files
SH256 hash:
fe183a43d737e1fbc57dd59c7aaa8b886915f0d7d99c9ddf0cde7b49ba613e26
MD5 hash:
cd4abfbbe35e36bec6b0eabf42100ef8
SHA1 hash:
c6b14d3c1f085d1551874d3a7a27ee4e6a2bc522
Link:
https://www.unpac.me/results/0e0eb637-f432-449a-98a6-2f3aa3177ff8/
SH256 hash:
3b6504d325e9f813021c5e41cb0978407f76e093584189daa1500ce65219f6b1
MD5 hash:
790b9fb857c8d06730dde580cb3b711b
SHA1 hash:
bf2be330d788d0c021d9e52e77a252e989ccea81
Link:
https://www.unpac.me/results/0e0eb637-f432-449a-98a6-2f3aa3177ff8/
Parent samples :
e6e4997c4d3b458b12715acf42f18421e60121dcbb461476ecdc487d5caa5284
54de552295e919218a7d43a1d0114bae169a79a1963113d615fd8bce428b385d
669634a33853f70175e367b9519b29e5ac57ddeb412884c004875344ad2b5165
2774262a54ea6008d5b508f4d95eb811bd5d7dc50e1c0659d016ab33d966e729
327c974b8d165bfbdc0c4277bd3d68e24b6d55a6d970340662ff78468a9c4e29
5680eb1ffa1fac4f1c5a78024331ff7dd8982138d89d2df4ec56996b44c9cc99
SH256 hash:
7e7d277ee439aa3ac20595df84d788993352bef00826b1c1fb6ffe67c30165be
MD5 hash:
b4cb71460e8d1e0202ff9488c6f7c0a3
SHA1 hash:
56c270b475895762ad013cc27fa9d7426c61e410
Link:
https://www.unpac.me/results/0e0eb637-f432-449a-98a6-2f3aa3177ff8/
SH256 hash:
e057126ffd68adb611488f03c6847f66157c5332a7647af6dd572fdbd80b4f43
MD5 hash:
4e9344deee8c5dc778cd535d4456657a
SHA1 hash:
55beee2bacf1934f5c67f080ea528e23ceff1c98
Link:
https://www.unpac.me/results/0e0eb637-f432-449a-98a6-2f3aa3177ff8/
SH256 hash:
03c5a982b0c3cd3144eaaff24b52a6480f4dc0680f0a006cf59f20565e7497ce
MD5 hash:
193a3f45ff80ed77a5c041e5f1f1beb7
SHA1 hash:
7ff88a38ee281b02b7f5279d2cd801e647becd73
Link:
https://www.unpac.me/results/0e0eb637-f432-449a-98a6-2f3aa3177ff8/
SH256 hash:
db81002b2874cdc20123a6a943df0338386b945ebca26f3ff37ef071df59bd5d
MD5 hash:
a00b9106e0e0edaa5e6540711d67d08a
SHA1 hash:
076e53a2c72424d8b55d839a662ad2738b5f8bd1
Link:
https://www.unpac.me/results/0e0eb637-f432-449a-98a6-2f3aa3177ff8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/db81002b2874cdc20123a6a943df0338386b945ebca26f3ff37ef071df59bd5d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/199569/

Comments