MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c37b9479b2968218e9019296f1069b7ef6cc65abeb2b48cb34ac682a2c8c736e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 7


Intelligence 7 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c37b9479b2968218e9019296f1069b7ef6cc65abeb2b48cb34ac682a2c8c736e
SHA3-384 hash: 568b2ce3b68bdb23ce328335e0efec6e89757d0d42a17a955ea823e49c34ffcd1aa31b69dfe88ece775fd19db6c331f1
SHA1 hash: e91aaada6ded0c902a43f64c6d71f37e53b02531
MD5 hash: be5be85af4ddc5c71bdcb5ab8bd3c67d
humanhash: venus-zebra-quiet-island
File name:be5be85af4ddc5c71bdcb5ab8bd3c67d.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:332'800 bytes
First seen:2021-07-07 11:46:03 UTC
Last seen:2021-07-07 12:49:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a50e815adb2cfe3e58d388c791946db8 (2 x njrat, 2 x DCRat, 1 x Lucifer)
ssdeep 6144:4V28oKd5ATFT0GmsAZLLm1Ht5gk9uCo+/khxZK7oPkDFvoSiJFxX:4oE76FT7sZLLmv5oJ+QKCqvoSiJ
TLSH B464128473E681C6E42280F08D62ED3CB8EEF8ADD1E45625FCE27B7514A55814E2E31F
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://62.109.6.34/Multisql.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://62.109.6.34/Multisql.php https://threatfox.abuse.ch/ioc/158250/

Intelligence

File Origin
# of uploads :
2
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
be5be85af4ddc5c71bdcb5ab8bd3c67d.exe
Verdict:
Malicious activity
Analysis date:
2021-07-07 11:49:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6da61198-60d9-462d-acb5-23f4b36835d3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170170/
Detection(s):
PUA.Win.Packer.Upx-4
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c8c596b1-0f2b-492c-abb3-079321b60a78
Result
Threat name:
Clipboard Hijacker DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/812823
Signature
Antivirus detection for dropped file
Contains functionality to compare user and computer (likely to detect sandboxes)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Schedule system process
Sigma detected: System File Execution Location Anomaly
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected BatToExe compiled binary
Yara detected Clipboard Hijacker
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 445234 Sample: SaI1j8jXQY.exe Startdate: 07/07/2021 Architecture: WINDOWS Score: 100 106 Found malware configuration 2->106 108 Multi AV Scanner detection for dropped file 2->108 110 Yara detected Clipboard Hijacker 2->110 112 7 other signatures 2->112 12 SaI1j8jXQY.exe 9 2->12         started        15 smartscreen.exe 2->15         started        18 sqlcmd.exe 2->18         started        20 UkhlqhrXZuuBGhqFLSVf.exe 2->20         started        process3 file4 98 C:\Users\user\AppData\Local\Temp\...\extd.exe, PE32 12->98 dropped 22 cmd.exe 3 12->22         started        140 Multi AV Scanner detection for dropped file 15->140 142 Machine Learning detection for dropped file 15->142 144 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 15->144 146 Antivirus detection for dropped file 18->146 24 schtasks.exe 1 18->24         started        signatures5 process6 process7 26 cc.exe 3 6 22->26         started        30 Klipper.exe 1 22->30         started        32 conhost.exe 22->32         started        36 4 other processes 22->36 34 conhost.exe 24->34         started        dnsIp8 88 C:\...\FontSavesperfsvcfontrefSession.exe, PE32 26->88 dropped 90 C:\FontSavesperfsvc\2znK0l6JhVTbQbA.vbe, data 26->90 dropped 126 Multi AV Scanner detection for dropped file 26->126 128 Machine Learning detection for dropped file 26->128 39 wscript.exe 1 26->39         started        92 C:\Users\user\AppData\Roaming\...\sqlcmd.exe, PE32 30->92 dropped 130 Antivirus detection for dropped file 30->130 132 Uses schtasks.exe or at.exe to add and modify task schedules 30->132 134 Contains functionality to compare user and computer (likely to detect sandboxes) 30->134 42 schtasks.exe 1 30->42         started        136 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 32->136 100 cdn.discordapp.com 162.159.130.233, 443, 49709 CLOUDFLARENETUS United States 36->100 102 162.159.135.233, 443, 49712 CLOUDFLARENETUS United States 36->102 94 C:\Users\user\AppData\Local\Temp\...\cc.exe, PE32 36->94 dropped 96 C:\Users\user\AppData\Local\...\Klipper.exe, PE32 36->96 dropped file9 signatures10 process11 signatures12 114 Uses ping.exe to sleep 39->114 116 Uses ping.exe to check the status of other devices and networks 39->116 44 cmd.exe 1 39->44         started        46 conhost.exe 39->46         started        48 chcp.com 39->48         started        52 2 other processes 39->52 50 conhost.exe 42->50         started        process13 process14 54 FontSavesperfsvcfontrefSession.exe 3 17 44->54         started        59 conhost.exe 44->59         started        dnsIp15 104 192.168.2.1 unknown unknown 54->104 80 C:\Windows\System32\msports\winlogon.exe, PE32 54->80 dropped 82 C:\Users\user\Music\smartscreen.exe, PE32 54->82 dropped 84 C:\Users\Default\AppData\...\conhost.exe, PE32 54->84 dropped 86 2 other malicious files 54->86 dropped 118 Multi AV Scanner detection for dropped file 54->118 120 Machine Learning detection for dropped file 54->120 122 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 54->122 124 Hides that the sample has been downloaded from the Internet (zone.identifier) 54->124 61 cmd.exe 54->61         started        64 schtasks.exe 54->64         started        66 schtasks.exe 54->66         started        68 3 other processes 54->68 file16 signatures17 process18 signatures19 138 Uses ping.exe to sleep 61->138 70 conhost.exe 64->70         started        72 conhost.exe 66->72         started        74 conhost.exe 68->74         started        76 conhost.exe 68->76         started        78 conhost.exe 68->78         started        process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c37b9479b2968218e9019296f1069b7ef6cc65abeb2b48cb34ac682a2c8c736e/
Threat name:
ByteCode-MSIL.Backdoor.LightStone
Create hunting rule
Status:
Malicious
First seen:
2021-07-07 11:46:13 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yn5zi6nss2bbr2ibsklpcbu3p33myznl5mvurszuvruculemonxa._file
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer rat upx
Link:
https://tria.ge/reports/210707-hqmp3cpvwx/
Behaviour
Creates scheduled task(s)
Modifies registry class
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
DCRat Payload
DcRat
Unpacked files
SH256 hash:
a8e9117eab6a7587af7943d387ea32083b808abf650b5faccae288a2dbca3495
MD5 hash:
8caa0fbfe2ce82919adf3b501d6d374c
SHA1 hash:
5a0488432e74007f15061884b8aecf31991971a2
Link:
https://www.unpac.me/results/bf4cfe14-761a-40c4-a934-b7a4cd6223cf/
SH256 hash:
4b7732afb85c7098f6b569b49b137ef4a05167802f29b4096c26cb307e513647
MD5 hash:
0de6afd3d39447c660ad79c3fc183d31
SHA1 hash:
303aaf9735b21c8923a92a40d6d4ab1446b584e4
Link:
https://www.unpac.me/results/bf4cfe14-761a-40c4-a934-b7a4cd6223cf/
SH256 hash:
c37b9479b2968218e9019296f1069b7ef6cc65abeb2b48cb34ac682a2c8c736e
MD5 hash:
be5be85af4ddc5c71bdcb5ab8bd3c67d
SHA1 hash:
e91aaada6ded0c902a43f64c6d71f37e53b02531
Link:
https://www.unpac.me/results/bf4cfe14-761a-40c4-a934-b7a4cd6223cf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.82
Link:
https://yomi.yoroi.company/submissions/c37b9479b2968218e9019296f1069b7ef6cc65abeb2b48cb34ac682a2c8c736e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe c37b9479b2968218e9019296f1069b7ef6cc65abeb2b48cb34ac682a2c8c736e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1432863/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/170170/

Comments