MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30320c23745d14085669f891d3805c6fb3823496cbea8fcae4384cfecd505f49. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 30320c23745d14085669f891d3805c6fb3823496cbea8fcae4384cfecd505f49
SHA3-384 hash: 793c40bb141d83cefae2fd89892f062e00e14f72125aaf625363e98a20184e7d0ab7786e771de79d99616dd3d83ec373
SHA1 hash: 238ce1edb9908e26cf703c41471bbfe203f0aba1
MD5 hash: be7793a353a9e25c0edcd4f26b09232f
humanhash: blue-early-winter-uncle
File name:be7793a353a9e25c0edcd4f26b09232f.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:459'264 bytes
First seen:2021-08-02 06:00:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f326f88ca83c9aacaa44acfb8884f1d4 (8 x RedLineStealer, 4 x DCRat, 2 x CoinMiner)
ssdeep 12288:W5oaqjp/9Tn3IQhOsnadu1SQUf6qFFejKCENutI16p:W5v4DTn3BaQs6qTetzx
Threatray 243 similar samples on MalwareBazaar
TLSH T1ABA4F16672E50198DAF541F6D9920746EB7278B10B21F3CB1BA453B21B2B5C6CF3D3A0
Reporter abuse_ch
Tags:DCRat exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
558
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
be7793a353a9e25c0edcd4f26b09232f.exe
Verdict:
No threats detected
Analysis date:
2021-08-02 06:06:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8f164b5d-6cdb-4591-94ee-7bf13db6b231

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175692/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.33822938.14445.490.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process from a recently created file
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2813ff27-1655-4015-8f50-afb154644d4c
Result
Threat name:
DCRat Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/825276
Signature
.NET source code contains very large strings
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Disables security and backup related services
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Schedule system process
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected BatToExe compiled binary
Yara detected DCRat
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 457686 Sample: XWXJTOInGn.exe Startdate: 02/08/2021 Architecture: WINDOWS Score: 100 107 Antivirus detection for dropped file 2->107 109 Multi AV Scanner detection for dropped file 2->109 111 Multi AV Scanner detection for submitted file 2->111 113 7 other signatures 2->113 10 XWXJTOInGn.exe 9 2->10         started        13 svchost.exe 2->13         started        16 svchost.exe 9 1 2->16         started        19 7 other processes 2->19 process3 dnsIp4 85 C:\Users\user\AppData\Local\Temp\...\extd.exe, PE32+ 10->85 dropped 21 cmd.exe 3 10->21         started        23 conhost.exe 10->23         started        133 Changes security center settings (notifications, updates, antivirus, firewall) 13->133 101 127.0.0.1 unknown unknown 16->101 file5 signatures6 process7 process8 25 vbn.exe 3 6 21->25         started        30 zxc.exe 1 18 21->30         started        32 clo.exe 2 21->32         started        34 7 other processes 21->34 dnsIp9 103 192.168.2.1 unknown unknown 25->103 87 C:\...\WinruntimedhcpNetcommon.exe, PE32 25->87 dropped 125 Multi AV Scanner detection for dropped file 25->125 127 Machine Learning detection for dropped file 25->127 36 wscript.exe 25->36         started        89 C:\Windows\Client.exe, PE32 30->89 dropped 91 C:\Users\user\AppData\Local\...\nsProcess.dll, PE32 30->91 dropped 93 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 30->93 dropped 129 Disables security and backup related services 30->129 38 cmd.exe 1 30->38         started        41 cmd.exe 30->41         started        43 cmd.exe 30->43         started        49 2 other processes 30->49 131 Injects a PE file into a foreign processes 32->131 45 clo.exe 32->45         started        47 conhost.exe 32->47         started        105 cdn.discordapp.com 162.159.129.233, 443, 49713, 49716 CLOUDFLARENETUS United States 34->105 95 C:\Users\user\AppData\Local\Temp\...\zxc.exe, PE32 34->95 dropped 97 C:\Users\user\AppData\Local\Temp\...\vbn.exe, PE32 34->97 dropped 99 C:\Users\user\AppData\Local\Temp\...\clo.exe, PE32 34->99 dropped file10 signatures11 process12 signatures13 51 cmd.exe 36->51         started        115 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 38->115 117 Uses schtasks.exe or at.exe to add and modify task schedules 38->117 53 net.exe 1 38->53         started        55 conhost.exe 38->55         started        57 conhost.exe 41->57         started        59 sc.exe 41->59         started        61 conhost.exe 43->61         started        63 sc.exe 43->63         started        65 conhost.exe 49->65         started        67 3 other processes 49->67 process14 process15 69 WinruntimedhcpNetcommon.exe 51->69         started        73 conhost.exe 51->73         started        75 net1.exe 53->75         started        file16 77 C:\Windows\System32\...\UsoClient.exe, PE32 69->77 dropped 79 C:\Windows\SysWOW64\asycfilt\cmd.exe, PE32 69->79 dropped 81 C:\Users\user\Documents\AKAVpMaeSUK.exe, PE32 69->81 dropped 83 4 other malicious files 69->83 dropped 119 Machine Learning detection for dropped file 69->119 121 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 69->121 123 Hides that the sample has been downloaded from the Internet (zone.identifier) 69->123 signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/30320c23745d14085669f891d3805c6fb3823496cbea8fcae4384cfecd505f49/
Threat name:
Win64.Infostealer.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2021-08-01 23:33:44 UTC
AV detection:
16 of 46 (34.78%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
0284735896363aeae81486be25751824f82b385dd4b6150358ff9b68c36c71e2
DCRat
0389ffef740d3bd365f2b699ac006b478a5346a1dc2383e10fd5152771641c0b
DCRat
3a6c6ec5b5e168e0452009714a8d37581459b8d386c26ef69c98a6802d5e65d6
DCRat
6da210965cd769856bbcb8bb501abf25c832f0f6a70e73240436629ce6362fa9
DCRat
88c642b1fa43b77487f3916dd95ac236189971475c3289c745dc45a739e6453f
DCRat
9169cc1093e14262e9d08db10152ee815f88ed87d12bc7b934c3645d23f347ea
DCRat
97c558bcbdaf21258e91098900d19e1ba944379a779a6a7c57aec46ea3de5438
DCRat
d7854719c33f72a1afa0c562bdf44a8941b4017fbe90a215636aad91d1bf4f10
DCRat
+ 233 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
suricata upx
Link:
https://tria.ge/reports/210802-a39d1ejqs6/
Behaviour
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Unpacked files
SH256 hash:
30320c23745d14085669f891d3805c6fb3823496cbea8fcae4384cfecd505f49
MD5 hash:
be7793a353a9e25c0edcd4f26b09232f
SHA1 hash:
238ce1edb9908e26cf703c41471bbfe203f0aba1
Link:
https://www.unpac.me/results/7153b48e-1b74-4ee5-b853-50f8e83f31e3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/30320c23745d14085669f891d3805c6fb3823496cbea8fcae4384cfecd505f49

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe 30320c23745d14085669f891d3805c6fb3823496cbea8fcae4384cfecd505f49

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1493959/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/175692/

Comments