MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4cd9d90c5f772963664e07973d5374984dc92381cd5ad1752037df71aab6185. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DCRat

Vendor detections: 10

Intelligence 10 IOCs 1 YARA File information Comments

SHA256 hash:	f4cd9d90c5f772963664e07973d5374984dc92381cd5ad1752037df71aab6185
SHA3-384 hash:	9ceea13ade8e997f682b2029395ca436594de4160ea3887ab02a111ff417b454f63d1263cb8a2b25821b894a8e6bd388
SHA1 hash:	59749946d894e70ac6bbf30026dc63f8e5137c73
MD5 hash:	957b7deb406f4b269585e243e9b341ee
humanhash:	twelve-beer-maine-missouri
File name:	73166810.exe
Download:	download sample
Signature	DCRat Create hunting rule
File size:	1'700'509 bytes
First seen:	2022-03-23 04:59:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep	24576:U2G/nvxW3Ww0th6CfIMH+0PGK92HnSOAY3jfx2twY7b5e5c4VsLjXi:UbA300C1H+0Fk5fx2tP7le5caF
Threatray	2'730 similar samples on MalwareBazaar
TLSH	T14475AE027A54CE52D0A50733C4EFC51843BCAC432A66DB5B7A8A3B9D21913E35E6D6CF
File icon (PE):
dhash icon	9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter	adm1n_usa32
Tags:	DCRat exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://94.103.81.144/To4flower/longpollExternaldle3/Externalapi2External/3Voiddbbetter/externalprotectBigload/7Wordpress/7Multi8/4javascriptSql/8Local8/16/wordpress/flower/Geo/8image/python/87/videoPolltrafficLocal.php	https://threatfox.abuse.ch/ioc/441538/

Intelligence

File Origin

# of uploads :

# of downloads :

185

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/255318/

Detection(s):

Win.Trojan.Uztuby-9855059-0

Win.Ransomware.Clinix-9868408-0

Win.Packed.Uztuby-9937390-0

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file

Creating a process from a recently created file

Running batch commands

Creating a process with a hidden window

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Launching a process

Unauthorized injection to a recently created process

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/10658/overview

Behaviour

MalwareBazaar

MeasuringTime

EvasionQueryPerformanceCounter

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

greyware overlay packed packed replace.exe setupapi.dll shdocvw.dll shell32.dll update.exe

Link:

https://www.filescan.io/uploads/623aa95cb94fb38cb4d6086b/reports/b28e0a7e-3605-431d-88bd-60adc79bf04f/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0b50d851-5eb2-4890-a773-f8ad45906955

Result

Threat name:

DCRat

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/962344

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to steal Crypto Currency Wallets

Yara detected DCRat

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f4cd9d90c5f772963664e07973d5374984dc92381cd5ad1752037df71aab6185/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-03-23 05:00:14 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 42 (42.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=6tgz3egf65zjmnte4b4xhvjxjgcnzerydtk22f2san67ogvlmgcq._file

Verdict:

malicious

DCRat

1934ca02e1627b6127c65310ffe6be91e216d53bfa4b90d0fe5ec4912c17e4cd

DCRat

73872c3c2ba2f4e09a18b0e0b3e00419b302781a83206512da39c28ae2e35fcc

DCRat

7dcf51a85a732f83474f19d96b405266668a9db0ed6a2e5617e1d74566940f63

DCRat

bdda6364d1ee783defaa82554c73dd628d1e616ed69da563afbae1c2cea2d6b7

DCRat

+ 2'720 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

spyware stealer suricata

Link:

https://tria.ge/reports/220323-fm1kwscadr/

Behaviour

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

suricata: ET MALWARE DCRAT Activity (GET)

Unpacked files

SH256 hash:

e631e418c6963907fd4941e122559cfd4328eba0fe93d08340658bae4ae5312e

MD5 hash:

afcf6fd7d1111a652c65f54905db07a7

SHA1 hash:

92cb739faa4735cdcdc769b13a899a81c337c983

Link:

https://www.unpac.me/results/e6ad6d15-9830-400f-8843-68c6acf9ae35/

SH256 hash:

909bef5ce235287e060fe4829a68525e96bd5314f3c272110cf13a4eb4ea63da

MD5 hash:

0d7cb7983ed42e1658a482df0aca6380

SHA1 hash:

6ec8a5ec5c9d8f8cb1e0ba861941a1f5c2e69198

Link:

https://www.unpac.me/results/e6ad6d15-9830-400f-8843-68c6acf9ae35/

SH256 hash:

f4cd9d90c5f772963664e07973d5374984dc92381cd5ad1752037df71aab6185

MD5 hash:

957b7deb406f4b269585e243e9b341ee

SHA1 hash:

59749946d894e70ac6bbf30026dc63f8e5137c73

Link:

https://www.unpac.me/results/e6ad6d15-9830-400f-8843-68c6acf9ae35/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f4cd9d90c5f772963664e07973d5374984dc92381cd5ad1752037df71aab6185

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/255318/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample