MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3df75eda0f3fff88f4ab98a687f7ec50b1adde27dbb1bb0947f96892eebf493. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e3df75eda0f3fff88f4ab98a687f7ec50b1adde27dbb1bb0947f96892eebf493
SHA3-384 hash: 9dd005cb10b304e51b656357af2257b5d324de471206c6b9567f3f9ac8ee710d38eb6ec885614b58bc4e86126d4812d3
SHA1 hash: e46b5dbf060cd08999adce8d0a3125adcb8a82fc
MD5 hash: d2bf3e6790adcdd2d33c9e2edb0c4f5a
humanhash: virginia-harry-fifteen-green
File name:D2BF3E6790ADCDD2D33C9E2EDB0C4F5A.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'818'072 bytes
First seen:2021-07-19 03:51:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:22G/nvxW3Wzt0Mz7/JGxk9k+JbTY/X5IarO9H5oyOgQ8BrpFrZ5QYf3GSIMGW1sm:2bA3Ybz7/JbqF/XPOp5oH8fFfaWOm
Threatray 709 similar samples on MalwareBazaar
TLSH T131852302F841A871C5721E305979BA61653DBB201F15CDDFE7E81EADEA340E0B335AA7
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://83.220.169.205/toPhptraffic.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://83.220.169.205/toPhptraffic.php https://threatfox.abuse.ch/ioc/160998/

Intelligence

File Origin
# of uploads :
1
# of downloads :
151
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
D2BF3E6790ADCDD2D33C9E2EDB0C4F5A.exe
Verdict:
Malicious activity
Analysis date:
2021-07-19 03:52:48 UTC
Tags:
stealer trojan rat backdoor dcrat evasion
Link:
https://app.any.run/tasks/51dd9b3e-d311-496d-af8e-291168753a51

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172462/
Detection(s):
SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5b4e24c3-2abe-4360-b910-d7c7dc6dee49
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/818018
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates files inside the volume driver (system volume information)
Drops PE files with benign system names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Schedule system process
Sigma detected: System File Execution Location Anomaly
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 450429 Sample: T6DVPWonvH.exe Startdate: 19/07/2021 Architecture: WINDOWS Score: 100 69 Antivirus detection for dropped file 2->69 71 Multi AV Scanner detection for dropped file 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 9 other signatures 2->75 10 T6DVPWonvH.exe 7 2->10         started        13 Idle.exe 1 2->13         started        16 pFKtrYAKCNcLnPhfpGMr.exe 1 2->16         started        18 spoolsv.exe 1 2->18         started        process3 file4 59 C:\Users\user\AppData\Roaming\fNZBW.exe, PE32 10->59 dropped 20 fNZBW.exe 1 10->20         started        91 Antivirus detection for dropped file 13->91 93 Multi AV Scanner detection for dropped file 13->93 95 Machine Learning detection for dropped file 13->95 23 Idle.exe 2 13->23         started        97 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->97 99 Injects a PE file into a foreign processes 16->99 25 pFKtrYAKCNcLnPhfpGMr.exe 16->25         started        signatures5 process6 signatures7 77 Antivirus detection for dropped file 20->77 79 Multi AV Scanner detection for dropped file 20->79 81 Machine Learning detection for dropped file 20->81 83 5 other signatures 20->83 27 fNZBW.exe 2 22 20->27         started        process8 file9 61 C:\Windows\SysWOW64\wbem\...\WmiPrvSE.exe, PE32 27->61 dropped 63 C:\Windows\SysWOW64\mimefilt\dllhost.exe, PE32 27->63 dropped 65 C:\...\RuntimeBroker.exe, PE32 27->65 dropped 67 5 other malicious files 27->67 dropped 87 Creates files inside the volume driver (system volume information) 27->87 89 Hides that the sample has been downloaded from the Internet (zone.identifier) 27->89 31 RuntimeBroker.exe 27->31         started        34 schtasks.exe 1 27->34         started        36 schtasks.exe 1 27->36         started        38 6 other processes 27->38 signatures10 process11 signatures12 101 Antivirus detection for dropped file 31->101 103 Multi AV Scanner detection for dropped file 31->103 105 Machine Learning detection for dropped file 31->105 107 2 other signatures 31->107 40 RuntimeBroker.exe 31->40         started        42 conhost.exe 34->42         started        45 conhost.exe 36->45         started        47 conhost.exe 38->47         started        49 conhost.exe 38->49         started        51 conhost.exe 38->51         started        53 2 other processes 38->53 process13 signatures14 85 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 42->85 55 conhost.exe 45->55         started        57 spoolsv.exe 47->57         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e3df75eda0f3fff88f4ab98a687f7ec50b1adde27dbb1bb0947f96892eebf493/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-07-15 00:45:01 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4ppxl3na6p77rd2kxgfgq736yufrvxpcpw5rxmeup6lislxl6sjq._file
Verdict:
malicious
Similar samples:
09de50c42d342a45215b027b4b041d96fafa5348aeb71c15db3d46725c3aeaa2
DCRat
1f2c235e93529aff918ec8634035b3069992ebb16ef8042903edd07b0a21db5b
DCRat
88771c803925c9b53a6eeedbf38e34bbb20cc6ab5861ca8789b1efbdda0cbbb2
DCRat
b7700c66e40ddd73a718794c1f295d1a56251aa0cdb89b215120a09bb5e61e9e
DCRat
bc7cbed34a28008fed6c5c7d7fea8658d4abeb1eff5b06e06a917680d5091fcf
DCRat
c2365436a67ec76dc90b2f6d4fdf55ff9066d166754c5bc9ff7d5a6901f81aa4
DCRat
c310aca2959669fdb69fdec4c1336353d84b7ae9b8767a1086be3591b4af32f0
DCRat
e1168abd0c24c43423463607b92547d5a2365d7fcbd8e6264f7a1b2f91328d6c
DCRat
+ 699 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/210719-k3dv8wn4s2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
f077a18f63ccad687fafabd684e7946254f3e1e9256f65cf87ecdb4811ff0dd0
MD5 hash:
0798cfa17fafde4b54752c901879b03e
SHA1 hash:
f76b031055752f9c5d9cb4d869cb9453b9c1dcd8
Link:
https://www.unpac.me/results/ad16fb30-ea14-4eed-9d69-f99ce31d7c63/
SH256 hash:
ce5deb461b645eb7a8911001db7882e7926ac9349576c1b83dc3bde8000b1cb9
MD5 hash:
2c3c0870fad934893e5dd12ed3470ca6
SHA1 hash:
3f652386f9024cec66e0acd204696b29d7e720bd
Link:
https://www.unpac.me/results/ad16fb30-ea14-4eed-9d69-f99ce31d7c63/
SH256 hash:
ea69150e28476979569f67c9de585997c58aa4ecb5d72230f5f680ee566fb12b
MD5 hash:
ac4a18ba8b7a58172a0c82f8b107b390
SHA1 hash:
d13b49a9c29ed1591c25a276fcf1c9025cc63020
Link:
https://www.unpac.me/results/ad16fb30-ea14-4eed-9d69-f99ce31d7c63/
SH256 hash:
42a7ccb466dacc6f0311c0807b645ac5ef4145002066620325eacc08c7a97339
MD5 hash:
b1c930b226646a86c00626b2fc6c7e40
SHA1 hash:
b44e7b17fed7bf877ff9455b0ebbceab28bf307f
Link:
https://www.unpac.me/results/ad16fb30-ea14-4eed-9d69-f99ce31d7c63/
SH256 hash:
e3df75eda0f3fff88f4ab98a687f7ec50b1adde27dbb1bb0947f96892eebf493
MD5 hash:
d2bf3e6790adcdd2d33c9e2edb0c4f5a
SHA1 hash:
e46b5dbf060cd08999adce8d0a3125adcb8a82fc
Link:
https://www.unpac.me/results/ad16fb30-ea14-4eed-9d69-f99ce31d7c63/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e3df75eda0f3fff88f4ab98a687f7ec50b1adde27dbb1bb0947f96892eebf493

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:MALWARE_Win_AsyncRAT
Create hunting rule
Author:ditekSHen
Description:Detects AsyncRAT
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172462/

Comments