MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 37b3a1d0c99b42d11596890640c076a18929f5087f924d22e9b751b3afd4f94c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 37b3a1d0c99b42d11596890640c076a18929f5087f924d22e9b751b3afd4f94c
SHA3-384 hash: 45870829beb31b8ba04c83107a626730d045885f2f6bbc7b9f895b48d84d18baea5edd7dc08697d9c097a3156e8fe88d
SHA1 hash: 99a96553585592d9b6c95f576649e4d62fe38f19
MD5 hash: 41e9afb08381cd467ca368fba43d5604
humanhash: don-hawaii-three-king
File name:41e9afb08381cd467ca368fba43d5604.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:411'136 bytes
First seen:2021-07-08 15:22:00 UTC
Last seen:2021-07-08 15:40:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a50e815adb2cfe3e58d388c791946db8 (2 x njrat, 2 x DCRat, 1 x Lucifer)
ssdeep 12288:pm502L0l7zwwuGLE4uuFUbZheB5LtkLPIT1OJ:pm5K1wrGLpJu2p+PIpOJ
TLSH T14194123ECAF6D8D5C06246F28E448288B08E79ADF0D22B5F7897E9594936150CF1673F
Reporter abuse_ch
Tags:DCRat exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
37b3a1d0c99b42d11596890640c076a18929f5087f924d22e9b751b3afd4f94c.zip
Verdict:
No threats detected
Analysis date:
2021-07-08 15:24:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6eb28fbc-a89c-455c-be23-271a6a2084bf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170493/
Detection(s):
SecuriteInfo.com.Gen.Variant.Bulz.275958.32138.5907.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2c7c0a45-7cdb-4a25-a4d2-d3adc0547727
Result
Threat name:
Clipboard Hijacker DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/813595
Signature
Antivirus detection for dropped file
Contains functionality to compare user and computer (likely to detect sandboxes)
Drops PE files with benign system names
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Schedule system process
Sigma detected: System File Execution Location Anomaly
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected BatToExe compiled binary
Yara detected Clipboard Hijacker
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 446004 Sample: NLVe6O2NMv.exe Startdate: 08/07/2021 Architecture: WINDOWS Score: 100 112 Found malware configuration 2->112 114 Multi AV Scanner detection for dropped file 2->114 116 Multi AV Scanner detection for submitted file 2->116 118 6 other signatures 2->118 12 NLVe6O2NMv.exe 9 2->12         started        15 lsass.exe 2->15         started        19 fontWinnetDhcpfontref.exe 2->19         started        21 2 other processes 2->21 process3 dnsIp4 88 C:\Users\user\AppData\Local\Temp\...\extd.exe, PE32+ 12->88 dropped 23 cmd.exe 3 12->23         started        102 62.109.6.34, 80 THEFIRST-ASRU Russian Federation 15->102 104 Multi AV Scanner detection for dropped file 15->104 106 Machine Learning detection for dropped file 15->106 108 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 15->108 110 Antivirus detection for dropped file 21->110 26 schtasks.exe 1 21->26         started        file5 signatures6 process7 signatures8 128 Uses ping.exe to sleep 23->128 130 Uses ping.exe to check the status of other devices and networks 23->130 28 cmd.exe 3 6 23->28         started        32 Klipper.exe 1 23->32         started        34 conhost.exe 23->34         started        38 5 other processes 23->38 36 conhost.exe 26->36         started        process9 dnsIp10 90 C:\fontWinnetDhcp\fontWinnetDhcpfontref.exe, PE32 28->90 dropped 134 Machine Learning detection for dropped file 28->134 41 wscript.exe 1 28->41         started        43 conhost.exe 28->43         started        92 C:\Users\user\AppData\Roaming\...\sqlcmd.exe, PE32 32->92 dropped 136 Antivirus detection for dropped file 32->136 138 Multi AV Scanner detection for dropped file 32->138 140 Uses schtasks.exe or at.exe to add and modify task schedules 32->140 142 Contains functionality to compare user and computer (likely to detect sandboxes) 32->142 45 schtasks.exe 1 32->45         started        144 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 34->144 98 162.159.129.233, 443, 49723 CLOUDFLARENETUS United States 38->98 100 cdn.discordapp.com 162.159.134.233, 443, 49720 CLOUDFLARENETUS United States 38->100 94 C:\Users\user\AppData\Local\Temp\...\cmd.exe, PE32 38->94 dropped 96 C:\Users\user\AppData\Local\...\Klipper.exe, PE32 38->96 dropped file11 signatures12 process13 process14 47 cmd.exe 1 41->47         started        49 conhost.exe 45->49         started        process15 51 fontWinnetDhcpfontref.exe 3 15 47->51         started        55 conhost.exe 47->55         started        file16 80 C:\...\fontWinnetDhcpfontref.exe, PE32 51->80 dropped 82 C:\Recovery\lsass.exe, PE32 51->82 dropped 84 C:\...\CwmhoUyCRhKJkbRsfiSgEelcPnffF.exe, PE32 51->84 dropped 86 2 other malicious files 51->86 dropped 120 Multi AV Scanner detection for dropped file 51->120 122 Machine Learning detection for dropped file 51->122 124 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 51->124 126 2 other signatures 51->126 57 cmd.exe 51->57         started        60 schtasks.exe 51->60         started        62 schtasks.exe 51->62         started        64 2 other processes 51->64 signatures17 process18 signatures19 132 Uses ping.exe to sleep 57->132 66 conhost.exe 57->66         started        68 chcp.com 57->68         started        70 PING.EXE 57->70         started        72 lsass.exe 57->72         started        74 conhost.exe 60->74         started        76 conhost.exe 62->76         started        78 conhost.exe 64->78         started        process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/37b3a1d0c99b42d11596890640c076a18929f5087f924d22e9b751b3afd4f94c/
Threat name:
Win64.Trojan.Bulz
Create hunting rule
Status:
Malicious
First seen:
2021-07-08 13:08:09 UTC
AV detection:
15 of 46 (32.61%)
Threat level:
  5/5
Verdict:
malicious
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer rat spyware stealer upx
Link:
https://tria.ge/reports/210708-mkarl69wp2/
Behaviour
Creates scheduled task(s)
Modifies registry class
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in System32 directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
DCRat Payload
DcRat
Unpacked files
SH256 hash:
37b3a1d0c99b42d11596890640c076a18929f5087f924d22e9b751b3afd4f94c
MD5 hash:
41e9afb08381cd467ca368fba43d5604
SHA1 hash:
99a96553585592d9b6c95f576649e4d62fe38f19
Link:
https://www.unpac.me/results/ceee3368-d23a-4b5f-8ee5-2da6cdb78b01/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/37b3a1d0c99b42d11596890640c076a18929f5087f924d22e9b751b3afd4f94c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe 37b3a1d0c99b42d11596890640c076a18929f5087f924d22e9b751b3afd4f94c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1432863/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/170493/

Comments