MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff1cf221e44187ccf5382ba91b26991722b97d2dd0ef25ae0b5fda12425a4a93. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff1cf221e44187ccf5382ba91b26991722b97d2dd0ef25ae0b5fda12425a4a93
SHA3-384 hash: 467b5a735d84873326fc635968d5d81c39c2cdfbb404ef88dac4125c368a12231c2a432a0a213e8c2b4aab07eff7d1a9
SHA1 hash: e9babf9ba666f9b333bf0ade172a5b82a399739a
MD5 hash: e89f2eff99c628af8bee288492383b3d
humanhash: thirteen-yankee-magazine-high
File name:E89F2EFF99C628AF8BEE288492383B3D.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'422'515 bytes
First seen:2021-07-12 20:02:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:U2G/nvxW3Ww0t2BFbeH/if94j2TZA7uxj260p+4E:UbA30Mafif6j174h
Threatray 453 similar samples on MalwareBazaar
TLSH T1846549027A84DE11D0691637C9EF842C57BCFE023B62DB1B7A9A339D64553A35D0E2CB
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://37.46.128.122/bin/logtracesearcher/PythonMulti.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://37.46.128.122/bin/logtracesearcher/PythonMulti.php https://threatfox.abuse.ch/ioc/159906/

Intelligence

File Origin
# of uploads :
1
# of downloads :
134
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
E89F2EFF99C628AF8BEE288492383B3D.exe
Verdict:
Malicious activity
Analysis date:
2021-07-12 20:02:47 UTC
Tags:
stealer trojan rat backdoor dcrat
Link:
https://app.any.run/tasks/d60f8121-e7ff-483b-a9a1-120d1da32a9b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Dcrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171184/
Detection(s):
Win.Malware.Uztuby-9848412-0
Create hunting rule

Win.Packed.Uztuby-9851623-0
Create hunting rule

Win.Trojan.Uztuby-9855059-0
Create hunting rule

Win.Ransomware.Clinix-9868408-0
Create hunting rule

Win.Malware.Qshell-9875653-0
Create hunting rule

Win.Packed.Uztuby-9877681-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/825b7f4c-074a-478f-bb43-d6bb96c4355e
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/815136
Signature
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Schedule system process
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 447547 Sample: hhCaRkMw7x.exe Startdate: 12/07/2021 Architecture: WINDOWS Score: 100 67 Found malware configuration 2->67 69 Multi AV Scanner detection for dropped file 2->69 71 Multi AV Scanner detection for submitted file 2->71 73 6 other signatures 2->73 10 hhCaRkMw7x.exe 3 6 2->10         started        13 explorer.exe 3 2->13         started        16 IntoPerfmonitornetdhcpRefDllCommon.exe 2->16         started        18 HceaeSujTpDEf.exe 3 2->18         started        process3 file4 65 C:\...\IntoPerfmonitornetdhcpRefDllCommon.exe, PE32 10->65 dropped 20 wscript.exe 1 10->20         started        83 Multi AV Scanner detection for dropped file 13->83 85 Machine Learning detection for dropped file 13->85 87 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 13->87 signatures5 process6 process7 22 cmd.exe 1 20->22         started        process8 24 IntoPerfmonitornetdhcpRefDllCommon.exe 3 22 22->24         started        28 conhost.exe 22->28         started        file9 57 C:\Windows\WMSysPr9\explorer.exe, PE32 24->57 dropped 59 C:\Windows\System32\wbem\...\WmiPrvSE.exe, PE32 24->59 dropped 61 C:\Windows\System32\mscandui\UsoClient.exe, PE32 24->61 dropped 63 3 other malicious files 24->63 dropped 75 Multi AV Scanner detection for dropped file 24->75 77 Machine Learning detection for dropped file 24->77 79 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 24->79 81 3 other signatures 24->81 30 cmd.exe 1 24->30         started        33 schtasks.exe 1 24->33         started        35 schtasks.exe 1 24->35         started        37 4 other processes 24->37 signatures10 process11 signatures12 89 Uses ping.exe to sleep 30->89 91 Uses ping.exe to check the status of other devices and networks 30->91 39 conhost.exe 30->39         started        41 chcp.com 30->41         started        55 2 other processes 30->55 43 conhost.exe 33->43         started        45 conhost.exe 35->45         started        47 conhost.exe 37->47         started        49 conhost.exe 37->49         started        51 conhost.exe 37->51         started        53 conhost.exe 37->53         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ff1cf221e44187ccf5382ba91b26991722b97d2dd0ef25ae0b5fda12425a4a93/
Threat name:
ByteCode-MSIL.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2021-07-09 03:28:58 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
24 of 46 (52.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=74opeipeigd4z5jyfourwjuzc4rls7jn2dxsllqll7nbeqs2jkjq._file
Verdict:
malicious
Similar samples:
043933cf2d619c6da0e932c3e7a302f210f3ae09d924379f8ae257c9c291e292
DCRat
2131b75617c740ddba1b808e0decc1e7054e34e6ce51c91bc4b848a52050e728
DCRat
37b3a1d0c99b42d11596890640c076a18929f5087f924d22e9b751b3afd4f94c
DCRat
40f9c1d0e2e988dbd82d8a37141cf4b03e8cff1f427424ea0966c44cac999b8f
DCRat
4b734afbb65c47d96c53ddc24250cacf96e62bbc56e0c64eca978d3255bbc745
DCRat
4cba3cb0188c4a064f6dd99ead74f76156d73019e15eec1a3653b28c8ac7a112
DCRat
748f35be261019103aae31d43b1fa88fda9cbc99043122e76b5c0a0d94cb808f
DCRat
b7700c66e40ddd73a718794c1f295d1a56251aa0cdb89b215120a09bb5e61e9e
DCRat
bb55fcf1625411295d87059f3116db4109ef0783504fbce9c5eca05ef72d45e0
DCRat
+ 443 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer rat spyware stealer
Link:
https://tria.ge/reports/210712-w6xnbqwgf2/
Behaviour
Creates scheduled task(s)
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
DCRat Payload
DcRat
Unpacked files
SH256 hash:
254d0d52813051a5bdc363963c049901f62704aff9e3e48547c531842f38c769
MD5 hash:
2ab7136314c9bde37c2338b19b5844d9
SHA1 hash:
11088d477892577d788be26ae895123f18f76d88
Link:
https://www.unpac.me/results/6217f515-14a1-40bf-a037-689697426899/
SH256 hash:
7a854c64e2a5445cf1392719812ad0a509a84e771aea16b8b15a92720e4a68d7
MD5 hash:
61f9a3d52e18b48b7a1ed30b9f7b60c1
SHA1 hash:
50152ab6b40efc295e85c173a9fe6cb169063c50
Link:
https://www.unpac.me/results/6217f515-14a1-40bf-a037-689697426899/
SH256 hash:
ff1cf221e44187ccf5382ba91b26991722b97d2dd0ef25ae0b5fda12425a4a93
MD5 hash:
e89f2eff99c628af8bee288492383b3d
SHA1 hash:
e9babf9ba666f9b333bf0ade172a5b82a399739a
Link:
https://www.unpac.me/results/6217f515-14a1-40bf-a037-689697426899/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ff1cf221e44187ccf5382ba91b26991722b97d2dd0ef25ae0b5fda12425a4a93

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/171184/

Comments