MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b8f3040eb8f3d29ef149. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b8f3040eb8f3d29ef149
SHA3-384 hash: ec352aab5344276b7b8dc198ec4c6032c8f5a8035e7c9102e98e6cffe0b28409104141c4aaf2f5a73f4c0adf4d0d1cb5
SHA1 hash: a82d6bafcc260138eb11b4a511ff6f3e80441ce3
MD5 hash: a4d367f98a1fa3e594af0875379bda39
humanhash: failed-blue-michigan-quebec
File name:9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'322'142 bytes
First seen:2022-01-14 18:13:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:U2G/nvxW3Ww0tbhHlmyb8uonlHQwhn/r+47:UbA30dH36+yn/a4
Threatray 1'221 similar samples on MalwareBazaar
TLSH T1A9556B037A84CD05E0A91677C6EF421483BDAD423AA2DB1A7E8F735D21113A35E1D6EF
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://47.254.235.229/7/Universal/HttpFlower1Track/BigloadpacketCdn/localSecure/eternalPipebigloadsqldownloads.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://47.254.235.229/7/Universal/HttpFlower1Track/BigloadpacketCdn/localSecure/eternalPipebigloadsqldownloads.php https://threatfox.abuse.ch/ioc/295289/

Intelligence

File Origin
# of uploads :
1
# of downloads :
309
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe
Verdict:
Malicious activity
Analysis date:
2022-01-14 18:17:36 UTC
Tags:
trojan rat backdoor dcrat
Link:
https://app.any.run/tasks/ce15d7aa-c3ed-4ac7-969e-865627d3e1f7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/219386/
Detection(s):
Win.Trojan.Uztuby-9855059-0
Create hunting rule

Win.Ransomware.Clinix-9868408-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
DNS request
Running batch commands
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Using the Windows Management Instrumentation requests
Launching a process
Creating a file in the system32 subdirectories
Creating a file in the Program Files subdirectories
Sending an HTTP GET request
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/4213/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed packed replace.exe setupapi.dll shdocvw.dll shell32.dll update.exe
Link:
https://www.filescan.io/uploads/61e1bd75e997359713edaf80/reports/31f0c0a6-9f23-47f1-a31c-85fa0d8fd785/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e8c45d90-c880-4a22-90d6-84f1db732048
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/920891
Signature
Antivirus detection for dropped file
Creates an autostart registry key pointing to binary in C:\Windows
Creates multiple autostart registry keys
Creates processes via WMI
Drops PE files with benign system names
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 553369 Sample: 9bdcc933d0c04da1fa41ba915c4... Startdate: 14/01/2022 Architecture: WINDOWS Score: 92 42 Found malware configuration 2->42 44 Antivirus detection for dropped file 2->44 46 Yara detected DCRat 2->46 48 3 other signatures 2->48 9 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe 3 6 2->9         started        12 wjIuhVBtfHXnMCZlWDoj.exe 3 2->12         started        15 lsass.exe 14 2 2->15         started        18 5 other processes 2->18 process3 dnsIp4 38 C:\...\refhostperfdllCommonsessionnetsvc.exe, PE32 9->38 dropped 20 wscript.exe 1 9->20         started        58 Antivirus detection for dropped file 12->58 60 Machine Learning detection for dropped file 12->60 40 47.254.235.229, 49780, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 15->40 file5 signatures6 process7 process8 22 cmd.exe 1 20->22         started        process9 24 refhostperfdllCommonsessionnetsvc.exe 4 11 22->24         started        28 conhost.exe 22->28         started        file10 32 C:\Windows\...\backgroundTaskHost.exe, PE32 24->32 dropped 34 C:\Users\user\Pictures\...\lsass.exe, PE32 24->34 dropped 36 C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe, PE32 24->36 dropped 50 Antivirus detection for dropped file 24->50 52 Machine Learning detection for dropped file 24->52 54 Creates multiple autostart registry keys 24->54 56 3 other signatures 24->56 30 refhostperfdllCommonsessionnetsvc.exe 2 24->30         started        signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b8f3040eb8f3d29ef149/
Threat name:
ByteCode-MSIL.Infostealer.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2022-01-14 18:14:28 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
19 of 43 (44.19%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tpomsm6qybg2d6sbxkivyrqnt6sxhzf4laklr4yeb24phuu66feq._file
Verdict:
malicious
Similar samples:
2e7c0e72ebe65df6ed44631550c14d1dfce5c0a540ed450df984802890b25c53
DCRat
43f70516f8474945837667dfb53901e87635dcb48b5ffd4bb24697cdf303409b
DCRat
4cced7c39444bc55a0cd79b0384b24517e355e0d70ab20019af96f2a7c181cd8
DCRat
51b8434c68594113a4036358e477fe1ae1b4cc0b99d653b224250e24537d87e2
DCRat
5487f2263ad9238d80e7db399d980f1bb66c1c5b43d5595165e097ee385ddb53
DCRat
6e491124fc83eb50eae434f1aafe070f9dba30d2ed03d10abd7cc2d91fcfc4dd
DCRat
99b234ed5fcab5f1e2ebbc0a26fd5e94a3efa69fadb275065592ea7cba636e16
DCRat
da685aede35b040929ea3cd659e921c89fe64e93551a94440ec7f9f8b1f85802
DCRat
+ 1'211 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence suricata
Link:
https://tria.ge/reports/220114-wvcrssaadp/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in System32 directory
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Process spawned unexpected child process
suricata: ET MALWARE DCRAT Activity (GET)
Unpacked files
SH256 hash:
469328a4f5a9fb3be135507247f3ee29945f72172ee1d3bea76548559572ea77
MD5 hash:
059b5596e2236be9af29604c24dcc91e
SHA1 hash:
0666ef8d1d17122891bec2ec7f4833747146ac69
Link:
https://www.unpac.me/results/8aad4722-5e58-4874-a5d6-abee75be1496/
SH256 hash:
08d8db67ddae643ce598dc41c4bf56156079461a79cdb2bdb5783eb6fd804b51
MD5 hash:
4e66ae5c311a1aadc1241790c112525f
SHA1 hash:
0e697de0a696e498897118d193e4ebc854ead1e2
Link:
https://www.unpac.me/results/8aad4722-5e58-4874-a5d6-abee75be1496/
SH256 hash:
9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b8f3040eb8f3d29ef149
MD5 hash:
a4d367f98a1fa3e594af0875379bda39
SHA1 hash:
a82d6bafcc260138eb11b4a511ff6f3e80441ce3
Link:
https://www.unpac.me/results/8aad4722-5e58-4874-a5d6-abee75be1496/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b8f3040eb8f3d29ef149

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/219386/

Comments