MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0389ffef740d3bd365f2b699ac006b478a5346a1dc2383e10fd5152771641c0b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0389ffef740d3bd365f2b699ac006b478a5346a1dc2383e10fd5152771641c0b
SHA3-384 hash: f24c0800370fbad105658f21320ba010a4fd5417ad0523e666cbd5d9a7b1866524bbe692eaafd329fbe071b506b5d543
SHA1 hash: 8c249c34c64663874a75365086d8ebfbb1c07bc0
MD5 hash: 17b0dca4c5d5c3037c814ac1a253082b
humanhash: asparagus-east-oklahoma-vegan
File name:17b0dca4c5d5c3037c814ac1a253082b
Download: download sample
Signature DCRat
Create hunting rule
File size:457'216 bytes
First seen:2021-07-30 23:35:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7182b1ea6f92adbf459a2c65d8d4dd9e (5 x CoinMiner, 4 x RedLineStealer, 4 x DCRat)
ssdeep 12288:QbjDhu9T09gUX6yBedMSGu+wTS0TMLeYfS9UiDa:e1eT0PqyodsXwO0c6eiDa
Threatray 96 similar samples on MalwareBazaar
TLSH T120A4E06BB2A00189DBB585F6D5810742E670B0725760B3DB6BB917B72B1B4C68F3C3E1
Reporter zbetcheckin
Tags:DCRat exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
551
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
17b0dca4c5d5c3037c814ac1a253082b
Verdict:
No threats detected
Analysis date:
2021-07-30 23:37:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9f28750e-6409-4ac3-aa8a-98a581d7e356

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175388/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34126398.28157.2351.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/66dddf6e-ac8b-4477-bb49-b0b7d1108de7
Result
Threat name:
DCRat Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/824748
Signature
.NET source code contains very large strings
Antivirus detection for dropped file
Disables security and backup related services
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Schedule system process
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected BatToExe compiled binary
Yara detected DCRat
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 457158 Sample: 3XfDO85Dly Startdate: 31/07/2021 Architecture: WINDOWS Score: 100 89 127.0.0.1 unknown unknown 2->89 97 Antivirus detection for dropped file 2->97 99 Multi AV Scanner detection for dropped file 2->99 101 Multi AV Scanner detection for submitted file 2->101 103 7 other signatures 2->103 11 3XfDO85Dly.exe 9 2->11         started        14 svchost.exe 1 2->14         started        signatures3 process4 file5 87 C:\Users\user\AppData\Local\Temp\...\extd.exe, PE32+ 11->87 dropped 16 cmd.exe 3 11->16         started        process6 process7 18 sys.exe 3 6 16->18         started        23 setup.exe 1 18 16->23         started        25 clo.exe 2 16->25         started        27 8 other processes 16->27 dnsIp8 91 192.168.2.1 unknown unknown 18->91 65 C:\...\WinruntimedhcpNetcommon.exe, PE32 18->65 dropped 105 Multi AV Scanner detection for dropped file 18->105 107 Machine Learning detection for dropped file 18->107 29 wscript.exe 18->29         started        67 C:\Windows\Client.exe, PE32 23->67 dropped 69 C:\Users\user\AppData\Local\...\nsProcess.dll, PE32 23->69 dropped 71 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 23->71 dropped 109 Disables security and backup related services 23->109 31 cmd.exe 1 23->31         started        33 cmd.exe 23->33         started        35 cmd.exe 23->35         started        37 cmd.exe 23->37         started        39 clo.exe 25->39         started        41 conhost.exe 25->41         started        93 cdn.discordapp.com 162.159.133.233, 443, 49714 CLOUDFLARENETUS United States 27->93 95 162.159.135.233, 443, 49719, 49722 CLOUDFLARENETUS United States 27->95 73 C:\Users\user\AppData\Local\Temp\...\sys.exe, PE32 27->73 dropped 75 C:\Users\user\AppData\Local\...\setup.exe, PE32 27->75 dropped 77 C:\Users\user\AppData\Local\Temp\...\clo.exe, PE32 27->77 dropped 43 conhost.exe 27->43         started        45 sc.exe 27->45         started        file9 signatures10 process11 process12 47 cmd.exe 29->47         started        49 net.exe 31->49         started        51 conhost.exe 31->51         started        53 conhost.exe 33->53         started        55 sc.exe 33->55         started        process13 57 WinruntimedhcpNetcommon.exe 47->57         started        61 conhost.exe 47->61         started        63 net1.exe 49->63         started        file14 79 C:\Windows\System32\mciqtz32\taskhostw.exe, PE32 57->79 dropped 81 C:\Windows\...\nUvQTARjoMpTg.exe, PE32 57->81 dropped 83 C:\Users\user\...\Memory Compression.exe, PE32 57->83 dropped 85 2 other malicious files 57->85 dropped 111 Machine Learning detection for dropped file 57->111 113 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 57->113 115 Uses schtasks.exe or at.exe to add and modify task schedules 57->115 117 Hides that the sample has been downloaded from the Internet (zone.identifier) 57->117 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0389ffef740d3bd365f2b699ac006b478a5346a1dc2383e10fd5152771641c0b/
Threat name:
Win64.Infostealer.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2021-07-30 21:33:05 UTC
AV detection:
20 of 46 (43.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aoe7733ubu55gzpsw2m2yadli6ffgrvb3qryhyip2ukso4ledqfq._file
Verdict:
malicious
Similar samples:
043933cf2d619c6da0e932c3e7a302f210f3ae09d924379f8ae257c9c291e292
DCRat
0dc975463ed56da75689bc1dbee1f22007743a1beaf5417951c186b967a597f8
DCRat
2131b75617c740ddba1b808e0decc1e7054e34e6ce51c91bc4b848a52050e728
DCRat
33358691144fd04943b0de774643ba673448b6d7e616d482beb5200d09f9beeb
DCRat
37b3a1d0c99b42d11596890640c076a18929f5087f924d22e9b751b3afd4f94c
DCRat
40f9c1d0e2e988dbd82d8a37141cf4b03e8cff1f427424ea0966c44cac999b8f
DCRat
4cba3cb0188c4a064f6dd99ead74f76156d73019e15eec1a3653b28c8ac7a112
DCRat
bb55fcf1625411295d87059f3116db4109ef0783504fbce9c5eca05ef72d45e0
DCRat
f60133f0545df116739879fd080e0fc688aece721a4123612ebaa479c2c551e0
DCRat
ff1cf221e44187ccf5382ba91b26991722b97d2dd0ef25ae0b5fda12425a4a93
DCRat
+ 86 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
suricata upx
Link:
https://tria.ge/reports/210730-wsbtpnfek6/
Behaviour
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Unpacked files
SH256 hash:
0389ffef740d3bd365f2b699ac006b478a5346a1dc2383e10fd5152771641c0b
MD5 hash:
17b0dca4c5d5c3037c814ac1a253082b
SHA1 hash:
8c249c34c64663874a75365086d8ebfbb1c07bc0
Link:
https://www.unpac.me/results/a4dfd245-2e23-42d1-b6ed-66f994beaa7c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0389ffef740d3bd365f2b699ac006b478a5346a1dc2383e10fd5152771641c0b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe 0389ffef740d3bd365f2b699ac006b478a5346a1dc2383e10fd5152771641c0b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1493959/
Cape
Cape
https://www.capesandbox.com/analysis/175388/

Comments


Avatar
zbet commented on 2021-07-30 23:35:43 UTC

url : hxxp://45.137.190.166/clip.exe