MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f698f53c372a26a4ab1ecd516064546fcd24da106293786c04e638de3582b2cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f698f53c372a26a4ab1ecd516064546fcd24da106293786c04e638de3582b2cd
SHA3-384 hash: 5384f6bfe7c8591f12fe77fdc32c98b89b2ab81ebf1d0656af0d03eafbf3320c9458cfd2232dcb8d63a007a119a202da
SHA1 hash: 8f12f472db36bf57ac7f2a02f21549d1559c672c
MD5 hash: 245ed2db66c841556f3d7b52ab251030
humanhash: east-black-single-social
File name:245ed2db66c841556f3d7b52ab251030.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'232'478 bytes
First seen:2022-05-13 21:30:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:Q2G/nvxW3WwTeg6Q3OIrCsDwGUkg5VkAx:QbA3+QLCGQQG
Threatray 2'690 similar samples on MalwareBazaar
TLSH T1B645F90179ECCD13E2841533E1EAC7A447B0BC53B6A5D727F9693AED2533B93281858B
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0f33796961693b1f (2 x DCRat, 1 x RedLineStealer)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://31.148.99.171/_temp.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://31.148.99.171/_temp.php https://threatfox.abuse.ch/ioc/555804/

Intelligence

File Origin
# of uploads :
1
# of downloads :
302
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/270519/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/17606/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
dcrat greyware overlay packed packed setupapi.dll shdocvw.dll shell32.dll update.exe
Link:
https://www.filescan.io/uploads/627ece1d89dc6403e7814f8c/reports/bbd38cd3-e5e2-4066-a6b6-57c7cdf23915/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f3134b6f-b5b8-443e-9661-4ef76382cc14
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/993908
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates executable files without a name
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Snort IDS alert for network traffic
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f698f53c372a26a4ab1ecd516064546fcd24da106293786c04e638de3582b2cd/
Threat name:
ByteCode-MSIL.Backdoor.LightStone
Create hunting rule
Status:
Malicious
First seen:
2022-05-11 22:33:29 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
19 of 41 (46.34%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=62mpkpbxfitkjky6zviwazcun7gsjwqqmkjxq3ae4y4n4nmcwlgq._file
Verdict:
malicious
Similar samples:
0284735896363aeae81486be25751824f82b385dd4b6150358ff9b68c36c71e2
DCRat
0389ffef740d3bd365f2b699ac006b478a5346a1dc2383e10fd5152771641c0b
DCRat
2a79ffb5b6d3f24310da1171812bb22ae42ddc348370c653590144a6b86283dc
DCRat
6da210965cd769856bbcb8bb501abf25c832f0f6a70e73240436629ce6362fa9
DCRat
8bc03680f98a99ea21d78a4a132be678f848a7209efa0656123745fba54fae03
DCRat
9479cdcb83b7b22199031e3a0208ad62e85fbaf02f9d7e53c8adaa888bdc94d2
DCRat
c1f1b8f358e98ae14b424dd8d57e022b8dc68c7c5f14a8d3dea8f1e66601f351
DCRat
f3c0ce87c47d8a905458f935d7e1f09492dcc0e9e3d921d99391d7226961eb5d
DCRat
+ 2'680 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
suricata
Link:
https://tria.ge/reports/220513-1c14wsbhb8/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
suricata: ET MALWARE DCRAT Activity (GET)
Gathering data
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f698f53c372a26a4ab1ecd516064546fcd24da106293786c04e638de3582b2cd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/270519/

Comments