MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99b234ed5fcab5f1e2ebbc0a26fd5e94a3efa69fadb275065592ea7cba636e16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 7


Intelligence 7 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 99b234ed5fcab5f1e2ebbc0a26fd5e94a3efa69fadb275065592ea7cba636e16
SHA3-384 hash: b450c3d68a835e02cf383e4ecb7144234a52ff6e0105888c288054fd4263e9c77f5d2be5b883408c61e25c6382a9db95
SHA1 hash: f591e3bb267304fb5261465552f80910306c9ec7
MD5 hash: b9a42f557b8e8d48bd5b061f8e714af9
humanhash: cat-pennsylvania-bluebird-virginia
File name:b9a42f557b8e8d48bd5b061f8e714af9.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'229'728 bytes
First seen:2021-09-11 09:20:40 UTC
Last seen:2021-09-11 10:21:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2004a5f6f543f8c26e144c1ceb66f943 (1 x DCRat, 1 x Mekotio)
ssdeep 24576:ZD7Xr5my0DPP23Iy5YAmRW6B8If0s83I4eqowSwa1X9tqY7JxiqSCj:ZD7Xroy0DPP23Iy5YAmw6B8If0F3IwoN
Threatray 155 similar samples on MalwareBazaar
TLSH T143459E0733A6C0E8DFA790F2C6255223D772781517389BDB24E0692DDFA3EA15B3A711
dhash icon fccccce4cccc4cbe (3 x DCRat, 2 x AsyncRAT, 1 x RedLineStealer)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://62.109.30.251/MathAutogeneratorgame/systemdemoWar/Serverpluginmessage/Autodatascreenplugin/Cpugame/anti/Cammobile/Pollpacketsql.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://62.109.30.251/MathAutogeneratorgame/systemdemoWar/Serverpluginmessage/Autodatascreenplugin/Cpugame/anti/Cammobile/Pollpacketsql.php https://threatfox.abuse.ch/ioc/220312/

Intelligence

File Origin
# of uploads :
2
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b9a42f557b8e8d48bd5b061f8e714af9.exe
Verdict:
No threats detected
Analysis date:
2021-09-11 09:23:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5b89e538-fc8f-4c10-bf78-759c86a42613

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/187035/
Detection(s):
ditekSHen.MALWARE.Win.Trojan.RedLineDropper-AHK.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1a80b57d-2e4b-429c-8bad-43cbcf1be604
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/849110
Signature
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Creates an autostart registry key pointing to binary in C:\Windows
Creates files inside the volume driver (system volume information)
Creates multiple autostart registry keys
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample or dropped binary is a compiled AutoHotkey binary
Sigma detected: Execution from Suspicious Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 481541 Sample: pZ3FTJC5nw.exe Startdate: 11/09/2021 Architecture: WINDOWS Score: 100 81 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->81 83 Antivirus detection for URL or domain 2->83 85 Multi AV Scanner detection for dropped file 2->85 87 5 other signatures 2->87 11 pZ3FTJC5nw.exe 3 9 2->11         started        16 wininit.exe 2->16         started        18 explorer.exe 2->18         started        20 3 other processes 2->20 process3 dnsIp4 79 dr-prof.ru 92.53.96.193, 443, 49737, 49738 TIMEWEB-ASRU Russian Federation 11->79 75 C:\Users\user\AppData\Local\...\dlihost.exe, PE32 11->75 dropped 105 Sample or dropped binary is a compiled AutoHotkey binary 11->105 107 Contains functionality to detect sleep reduction / modifications 11->107 22 dlihost.exe 2 6 11->22         started        26 unarchiver.exe 5 11->26         started        109 Multi AV Scanner detection for dropped file 16->109 111 Machine Learning detection for dropped file 16->111 file5 signatures6 process7 file8 65 C:\...\savesruntimeBrokerFontwin.exe, PE32 22->65 dropped 93 Multi AV Scanner detection for dropped file 22->93 95 Machine Learning detection for dropped file 22->95 28 wscript.exe 1 22->28         started        30 cmd.exe 1 26->30         started        32 7za.exe 3 26->32         started        signatures9 process10 file11 35 cmd.exe 1 28->35         started        37 bombep.exe 30->37         started        39 conhost.exe 30->39         started        63 C:\Users\user\AppData\Local\...\bombep.exe, PE32 32->63 dropped 41 conhost.exe 32->41         started        process12 process13 43 savesruntimeBrokerFontwin.exe 9 21 35->43         started        47 conhost.exe 35->47         started        49 WerFault.exe 20 9 37->49         started        dnsIp14 67 C:\savesruntimeBroker\HxTsr.exe, PE32 43->67 dropped 69 C:\Windows\lsasetup\explorer.exe, PE32 43->69 dropped 71 C:\Users\user\AppData\Roaming\...\ctfmon.exe, PE32 43->71 dropped 73 5 other malicious files 43->73 dropped 97 Creates files inside the volume driver (system volume information) 43->97 99 Machine Learning detection for dropped file 43->99 101 Creates multiple autostart registry keys 43->101 103 3 other signatures 43->103 52 cmd.exe 43->52         started        77 192.168.2.1 unknown unknown 49->77 file15 signatures16 process17 process18 54 adnMWoNGzWyfyYPjjVKFephzRBB.exe 52->54         started        57 conhost.exe 52->57         started        59 chcp.com 52->59         started        61 w32tm.exe 52->61         started        signatures19 89 Multi AV Scanner detection for dropped file 54->89 91 Machine Learning detection for dropped file 54->91
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/99b234ed5fcab5f1e2ebbc0a26fd5e94a3efa69fadb275065592ea7cba636e16/
Threat name:
ByteCode-MSIL.Downloader.Bulz
Create hunting rule
Status:
Malicious
First seen:
2021-09-06 07:56:36 UTC
AV detection:
15 of 43 (34.88%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tgzdj3k7zk27dyxlxqfcn7k6ssr67ju7vwzhkbsvslvhzotdnyla._file
Verdict:
malicious
Similar samples:
0757a3b97f39c1d8a6c3d94770762a3912304cfaffa0330761945acd7f236213
DCRat
0e439b622658ab71228c7388ec456c7baf041046d7eff1a37bc9c02177c324ed
DCRat
19f71da28ebab8fe7256a657c603698ad607a7273e85d0e8b107269643cfa5dd
DCRat
2131b75617c740ddba1b808e0decc1e7054e34e6ce51c91bc4b848a52050e728
DCRat
4cba3cb0188c4a064f6dd99ead74f76156d73019e15eec1a3653b28c8ac7a112
DCRat
4cced7c39444bc55a0cd79b0384b24517e355e0d70ab20019af96f2a7c181cd8
DCRat
b88350726e9a1dc492b8fde7c03fdd0f5c7669b6919e1c25ddbcb8a69125c330
DCRat
cba27621d4b7c92fd50bf37135e150b45097ca9306061ed7049f802047bbd1b9
DCRat
f98183a2ad674f8aae6ad47e7da8b48c80175148ba333f0f57b3e6eca64bfaa6
DCRat
+ 145 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer persistence rat spyware stealer
Link:
https://tria.ge/reports/210911-lbbehsbbg8/
Behaviour
Creates scheduled task(s)
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
DCRat Payload
DcRat
Process spawned unexpected child process
Unpacked files
SH256 hash:
99b234ed5fcab5f1e2ebbc0a26fd5e94a3efa69fadb275065592ea7cba636e16
MD5 hash:
b9a42f557b8e8d48bd5b061f8e714af9
SHA1 hash:
f591e3bb267304fb5261465552f80910306c9ec7
Link:
https://www.unpac.me/results/a547eea7-ee29-4df0-8fc6-bc39cf31ad3d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/99b234ed5fcab5f1e2ebbc0a26fd5e94a3efa69fadb275065592ea7cba636e16

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_AHK_Downloader
Create hunting rule
Author:ditekSHen
Description:Detects AutoHotKey binaries acting as second stage droppers
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/187035/

Comments