MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3c0ce87c47d8a905458f935d7e1f09492dcc0e9e3d921d99391d7226961eb5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f3c0ce87c47d8a905458f935d7e1f09492dcc0e9e3d921d99391d7226961eb5d
SHA3-384 hash: 46a46a1becaad3d3abb093a838e464af5e6c9a2887bd01f11be1c7bb30385f7d57347316feaeea805ddc424abff7581a
SHA1 hash: 0c362d1880081df5e1101f2f6d5c60f29d5a2f8d
MD5 hash: 13f834e84beb9208eaba2a22a286bcf7
humanhash: tango-montana-orange-floor
File name:13f834e84beb9208eaba2a22a286bcf7.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'583'708 bytes
First seen:2022-05-13 04:06:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:Q2G/nvxW3WwBet0FCa0/2H3wv0F0JUf7JLGRC2dH73eedcg8kbaSm:QbA38t0FCa0/2HtGWyTFeOt8r
Threatray 3'658 similar samples on MalwareBazaar
TLSH T135754B027EECCD13E2981132E1EAC7584770BC53B6A5D317FDA93AED6433B936808596
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0f33796961693b1f (2 x DCRat, 1 x RedLineStealer)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://31.148.99.171/_temp.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://31.148.99.171/_temp.php https://threatfox.abuse.ch/ioc/555804/

Intelligence

File Origin
# of uploads :
1
# of downloads :
291
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/270282/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Creating a file in the %temp% directory
Reading critical registry keys
Unauthorized injection to a recently created process
Stealing user critical data
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/17446/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
dcrat greyware overlay packed packed setupapi.dll shdocvw.dll shell32.dll update.exe
Link:
https://www.filescan.io/uploads/627dd9690e3f8543726afdc6/reports/e547d43a-3f05-4929-9cfd-46da0349e346/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b770db0b-944b-46cd-8f32-a02e596c1f75
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/993293
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates executable files without a name
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f3c0ce87c47d8a905458f935d7e1f09492dcc0e9e3d921d99391d7226961eb5d/
Threat name:
ByteCode-MSIL.Backdoor.DcRat
Create hunting rule
Status:
Malicious
First seen:
2022-05-11 22:33:29 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6pam5b6epwfjavcy7e25pypqssjnzqhj4pmsdwmtshlse2lb5noq._file
Verdict:
malicious
Similar samples:
52454dbf98d4eed3fe5f26c6139f74c5d858499b7e73040b57186311dc46e92a
DCRat
8afc46661f87c6c9e0b4fc2d6654809ac04049a02907ded2332a173a5f006f3e
DCRat
cfae61bf8bc9dc0fec9b0765377bc8312d79710adca08e5de4f36a4a7d21b1a2
DCRat
d9df7c3907c65ebb3aa556e47f8eac64e16d3415c9a8695cd7ea754b1612055b
DCRat
e8da6a083a85303e0c32aa2b065fbdcb77422b919bc8a5d92e1c9dead700ff31
DCRat
+ 3'648 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
spyware stealer suricata
Link:
https://tria.ge/reports/220513-epmldaccb8/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
suricata: ET MALWARE DCRAT Activity (GET)
Unpacked files
SH256 hash:
d59ac241e2883770708c0fd54b9a66f33b0d0bb2a9d8ccc7b72ec646c30ee660
MD5 hash:
49cc893ea8c73466b04c9a21f5b02cbd
SHA1 hash:
363616a65db0e098e1b221304f0eff1af9ba3cd8
Link:
https://www.unpac.me/results/cb723b6c-6cad-4928-9eeb-2b405c68af6c/
SH256 hash:
6e8a5bb847809a8171cc71ca1607cda9e464e73bf845bc06873ab477a6e366e6
MD5 hash:
bab21aac84fcbf6ff5639c699b8e5273
SHA1 hash:
baa4a9333d2ebfdd521780c65f9e11c516877a82
Link:
https://www.unpac.me/results/cb723b6c-6cad-4928-9eeb-2b405c68af6c/
SH256 hash:
f3c0ce87c47d8a905458f935d7e1f09492dcc0e9e3d921d99391d7226961eb5d
MD5 hash:
13f834e84beb9208eaba2a22a286bcf7
SHA1 hash:
0c362d1880081df5e1101f2f6d5c60f29d5a2f8d
Link:
https://www.unpac.me/results/cb723b6c-6cad-4928-9eeb-2b405c68af6c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f3c0ce87c47d8a905458f935d7e1f09492dcc0e9e3d921d99391d7226961eb5d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/270282/

Comments