MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff675539c1417f96cb5217e85570ac674c0f3785256456bcf16a63b457559ea2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DCRat

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 5 File information Comments

SHA256 hash:	ff675539c1417f96cb5217e85570ac674c0f3785256456bcf16a63b457559ea2
SHA3-384 hash:	70a9307c464836d5a78443abcb0eb84e108eb173504bbb7bc288d42b5a8f1eaa61f31804bb64e2b27ee049a718dccfc6
SHA1 hash:	2e41674f72e79df0acc58d1c6406018b6b5ea743
MD5 hash:	b95c25c4d056713caf77063b395d195d
humanhash:	nitrogen-mexico-harry-king
File name:	b95c25c4d056713caf77063b395d195d.exe
Download:	download sample
Signature	DCRat Create hunting rule
File size:	441'856 bytes
First seen:	2022-01-07 19:21:01 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	6144:ZqqDLO7yF925vZhDj/Vns3DfgSqTACywsg15TCblm9A/b7mBgmQlRC3YQ9:UqnOeF9AZhDj/VWD9Qp15WbIAHmmmQ
Threatray	144 similar samples on MalwareBazaar
TLSH	T18F946C1437EC1A15F2BFABB9C4B224A59775B457BA6BD70F0CC1118A0A22701ED81F7B
Reporter	abuse_ch
Tags:	DCRat exe

abuse_ch

DCRat C2:
http://79.174.12.172/pollrequest/2/Line/js6line/sql/7PollVoiddbBetter/0local5/updateTrack/TempLocallinux0/7_/5/cpuImagewindows/UniversalProviderTemporary/85/wpprocessor3server/LinuxVoiddb/Datalife3/packetGeo.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://79.174.12.172/pollrequest/2/Line/js6line/sql/7PollVoiddbBetter/0local5/updateTrack/TempLocallinux0/7_/5/cpuImagewindows/UniversalProviderTemporary/85/wpprocessor3server/LinuxVoiddb/Datalife3/packetGeo.php	https://threatfox.abuse.ch/ioc/291794/

Intelligence

File Origin

# of uploads :

# of downloads :

283

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

b95c25c4d056713caf77063b395d195d.exe

Verdict:

Malicious activity

Analysis date:

2022-01-07 19:24:54 UTC

Tags:

trojan rat backdoor dcrat

Link:

https://app.any.run/tasks/44f0e095-3b58-4f66-8bc4-f2d8a917df6c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

DCRat

Link:

https://www.capesandbox.com/analysis/217759/

Detection(s):

Win.Packed.Uztuby-9891175-0

Win.Packed.Uztuby-9901274-0

Win.Packed.Passwordstealera-9917697-0

Win.Packed.Generic-9933055-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file in the system32 subdirectories

Using the Windows Management Instrumentation requests

Launching a process

Creating a file in the Program Files subdirectories

Creating a process from a recently created file

Creating a process with a hidden window

Creating a file

DNS request

Sending an HTTP GET request

Searching for synchronization primitives

Creating a window

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Enabling autorun by creating a file

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug anti-vm greyware hacktool obfuscated packed stealer

Link:

https://www.filescan.io/uploads/61d892a21c0d769df9d65ebd/reports/a759ed3f-465f-4c7f-9a38-e3916e7637cb/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8a250af2-d5bc-4563-93a0-5a3e6cdeaee6

Result

Threat name:

DCRat

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/916989

Signature

.NET source code contains potential unpacker

.NET source code contains very large strings

Creates an autostart registry key pointing to binary in C:\Windows

Creates multiple autostart registry keys

Creates processes via WMI

Detected unpacking (overwrites its own PE header)

Drops executable to a common third party application directory

Drops executables to the windows directory (C:\Windows) and starts them

Drops PE files to the user root directory

Drops PE files with benign system names

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected DCRat

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ff675539c1417f96cb5217e85570ac674c0f3785256456bcf16a63b457559ea2/

Threat name:

ByteCode-MSIL.Downloader.Krocomain

Status:

Malicious

First seen:

2022-01-05 20:08:00 UTC

File Type:

PE (.Net Exe)

AV detection:

31 of 43 (72.09%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=75tvkoobif7zns2sc7ufk4fmm5ga6n4fevsfnphrnjr3iv2vt2ra._file

Verdict:

malicious

DCRat

22b0ba08a07f8fd3029cc598f338b78cfe2ccdad4dc422d8dbe856ad11f24c70

DCRat

40447d9c2e75f5228b738bc2bcd9fcc16deeb9a08e5c247b2f9744b09caeef10

DCRat

5ed80f3e0c9d4c92b05864fafffd410becd10235c0cb34cd1ac46090dc83f293

DCRat

68f6d55f31e87cebb1b5c9ea96e9c770464f8d6a937dda00b5a7139f79240d7c

DCRat

8ce5aafe47667edfe0b9c5ca962481fa5c1b7190278eee1dd06e4aa0c30ea5ab

DCRat

+ 134 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

persistence suricata

Link:

https://tria.ge/reports/220107-x2ny3sdacl/

Behaviour

Creates scheduled task(s)

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Drops file in Windows directory

Drops file in System32 directory

Adds Run key to start application

Executes dropped EXE

Process spawned unexpected child process

suricata: ET MALWARE DCRAT Activity (GET)

Unpacked files

SH256 hash:

4a231c28b034dec502f56dd55b1c6753b7471eac79e79a28828f30534cd5b4bc

MD5 hash:

60475c865a2f8c21a12188e078e304d8

SHA1 hash:

cc59905c3eb57bc37382108d1168b6cb9d44f9e2

Link:

https://www.unpac.me/results/f829ca88-b267-4bd5-9ca4-26472862b6bb/

Parent samples :

327c974b8d165bfbdc0c4277bd3d68e24b6d55a6d970340662ff78468a9c4e29
5680eb1ffa1fac4f1c5a78024331ff7dd8982138d89d2df4ec56996b44c9cc99

SH256 hash:

ff675539c1417f96cb5217e85570ac674c0f3785256456bcf16a63b457559ea2

MD5 hash:

b95c25c4d056713caf77063b395d195d

SHA1 hash:

2e41674f72e79df0acc58d1c6406018b6b5ea743

Link:

https://www.unpac.me/results/f829ca88-b267-4bd5-9ca4-26472862b6bb/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/ff675539c1417f96cb5217e85570ac674c0f3785256456bcf16a63b457559ea2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing bas64 encoded gzip files

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	MALWARE_Win_DCRat Create hunting rule
Author:	ditekSHen
Description:	DCRat payload

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/217759/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample