MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 27a9d3cfb4b2ac98865a12ac4044f9ef4f131975d42ef57ec0cb815f6e8295cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 27a9d3cfb4b2ac98865a12ac4044f9ef4f131975d42ef57ec0cb815f6e8295cb
SHA3-384 hash: 12ac3e1ffbb57e6a4fa024e5fe2ed907f9c17524631a58b205a28f9b570c6cac6f0b73fe0c83ff0d4568df47430fa893
SHA1 hash: 7371b85deecf98a40c2c7524fafc827ec12ed354
MD5 hash: 2f2477ea33c1a2f20518e231ea7df8a8
humanhash: nuts-kentucky-failed-island
File name:2f2477ea33c1a2f20518e231ea7df8a8.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:3'366'912 bytes
First seen:2024-05-30 01:55:12 UTC
Last seen:2024-05-30 02:19:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 140094f13383e9ae168c4b35b6af3356 (32 x DCRat, 11 x CoinMiner, 10 x njrat)
ssdeep 49152:IszhpyxI/+llnZ5UOiGWv7sC9vZbnbLgdyc0drPOAaiMQO:IsLaI/+lt+GwF9vZD/IdncMQ
Threatray 557 similar samples on MalwareBazaar
TLSH T1D6F53327AAF71F64D46739B6AC3CE8F4B75C376226A6A09861B4408D431B04FC95D3F8
TrID 32.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.8% (.EXE) Win32 Executable (generic) (4504/4/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://434778cm.n9shteam1.top/processgameBigloadDbflower.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
409
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
27a9d3cfb4b2ac98865a12ac4044f9ef4f131975d42ef57ec0cb815f6e8295cb.exe
Verdict:
Malicious activity
Analysis date:
2024-05-30 01:55:42 UTC
Tags:
dcrat rat remote darkcrystal
Link:
https://app.any.run/tasks/655a809d-1341-47d0-b5c2-f9fb0732bda0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.4328.11866.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6657dcc620ad30d287676e03win7simulatehigh_evasion
Tags:
Banker Encryption Execution Generic Network Other Static Stealth Heur Dexter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Searching for the window
Searching for synchronization primitives
Creating a file
Running batch commands
Creating a process with a hidden window
Loading a suspicious library
Creating a file in the Program Files subdirectories
Launching a process
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending an HTTP POST request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fasm packed peunion
Link:
https://www.filescan.io/uploads/6657dcb3458fabe8a95d0e84/reports/1a133946-e95e-4130-8dde-bb9b2b006317/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/27a9d3cfb4b2ac98865a12ac4044f9ef4f131975d42ef57ec0cb815f6e8295cb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f2ca367b-68c6-4595-998f-d4a4594fb4be
Result
Threat name:
DCRat, PureLog Stealer, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1449307
Signature
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Files With System Process Name In Unsuspected Locations
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1449307 Sample: a2LSL5X6vd.exe Startdate: 30/05/2024 Architecture: WINDOWS Score: 100 68 434778cm.n9shteam1.top 2->68 76 Snort IDS alert for network traffic 2->76 78 Multi AV Scanner detection for domain / URL 2->78 80 Antivirus detection for URL or domain 2->80 82 12 other signatures 2->82 12 a2LSL5X6vd.exe 2 2->12         started        signatures3 process4 file5 60 C:\Users\user\AppData\Local\Temp\def.exe, PE32 12->60 dropped 15 def.exe 3 6 12->15         started        process6 file7 62 C:\Agentcomponent\surrogateCrt.exe, PE32 15->62 dropped 64 C:\...\ijZNkiF3uMiUVv7nmakr62i.vbe, data 15->64 dropped 70 Antivirus detection for dropped file 15->70 72 Multi AV Scanner detection for dropped file 15->72 74 Machine Learning detection for dropped file 15->74 19 wscript.exe 1 15->19         started        signatures8 process9 signatures10 84 Windows Scripting host queries suspicious COM object (likely to drop second stage) 19->84 22 cmd.exe 1 19->22         started        process11 process12 24 surrogateCrt.exe 3 21 22->24         started        28 conhost.exe 22->28         started        file13 52 C:\Windows\Media\Landscape\smartscreen.exe, PE32 24->52 dropped 54 C:\Users\user\Desktop\tDlJHbur.log, PE32 24->54 dropped 56 C:\Users\user\Desktop\XBTNgJZi.log, PE32 24->56 dropped 58 7 other malicious files 24->58 dropped 88 Antivirus detection for dropped file 24->88 90 Multi AV Scanner detection for dropped file 24->90 92 Machine Learning detection for dropped file 24->92 30 cmd.exe 1 24->30         started        signatures14 process15 signatures16 94 Uses ping.exe to sleep 30->94 96 Uses ping.exe to check the status of other devices and networks 30->96 33 TAWQSTmymzUwNgVbhe.exe 14 462 30->33         started        38 conhost.exe 30->38         started        40 PING.EXE 1 30->40         started        42 chcp.com 1 30->42         started        process17 dnsIp18 66 434778cm.n9shteam1.top 104.21.22.205, 53448, 53449, 53450 CLOUDFLARENETUS United States 33->66 44 C:\Users\user\Desktop\pTakaBiY.log, PE32 33->44 dropped 46 C:\Users\user\Desktop\gkGUrYdq.log, PE32 33->46 dropped 48 C:\Users\user\Desktop\XHyfHfOJ.log, PE32 33->48 dropped 50 C:\Users\user\Desktop\LWsgBTEg.log, PE32 33->50 dropped 86 Tries to harvest and steal browser information (history, passwords, etc) 33->86 file19 signatures20
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/27a9d3cfb4b2ac98865a12ac4044f9ef4f131975d42ef57ec0cb815f6e8295cb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/27a9d3cfb4b2ac98865a12ac4044f9ef4f131975d42ef57ec0cb815f6e8295cb/
Threat name:
Win32.Trojan.ExNuma
Create hunting rule
Status:
Malicious
First seen:
2024-05-27 18:06:00 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
30 of 38 (78.95%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=e6u5ht5uwkwjrbs2ckwearhz55hrgglv2qxpk7wazoav63ucsxfq._file
Verdict:
malicious
Similar samples:
21aed8462506d9f38c45cea33783a3d532f73c97a1ee1b4f35470d3cf4db699a
DCRat
27a9d3cfb4b2ac98865a12ac4044f9ef4f131975d42ef57ec0cb815f6e8295cb
DCRat
c9c660914e4d58a6e0dd460afae6e4af288c9f191ad8592dc95db5a69868fc70
DCRat
e0aa620a8b2b7688482b39a6fafabe217fa4d774ce7441721e42b6bfdc88c450
DCRat
e76ef27047a9299a7c1a2cc8f33c16342f698cf55fbf85b088841f8a2a1015b7
DCRat
fb2e3a0d29ae08e964de8bcc1cf986b3a6b928d13e14368cc31535236afd024e
DCRat
+ 547 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/240530-ccn8bsbd45/
Behaviour
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2c87bf02-6e69-4d76-bf1a-ba8adb776284
Unpacked files
SH256 hash:
5153b60b002a0b82848661b6dc00df9e184ef2a3f800aac3e90f2f868b403c46
MD5 hash:
f99323ccbdf71989e975c21ef85ebe10
SHA1 hash:
bd71d9c530579b5944bfdd1a6a3b1b4f52f4eab3
Link:
https://www.unpac.me/results/99713e20-f3c4-4b4f-a69d-d08413f4590b/
SH256 hash:
345ce9012cada954496ba98ca0df45793d78b28ae1b882bdf568942cf1463068
MD5 hash:
b88cf9e6d3839b7dc1fe083a142ff9e5
SHA1 hash:
a302ac75a3a00ae69013499530f76adcff9be592
Detections:
INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Link:
https://www.unpac.me/results/99713e20-f3c4-4b4f-a69d-d08413f4590b/
SH256 hash:
27a9d3cfb4b2ac98865a12ac4044f9ef4f131975d42ef57ec0cb815f6e8295cb
MD5 hash:
2f2477ea33c1a2f20518e231ea7df8a8
SHA1 hash:
7371b85deecf98a40c2c7524fafc827ec12ed354
Link:
https://www.unpac.me/results/99713e20-f3c4-4b4f-a69d-d08413f4590b/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::VirtualAllocExNuma
kernel32.dll::CreateThread
WIN_BASE_USER_APIRetrieves Account Informationkernel32.dll::GetComputerNameA

Comments