MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b8f3040eb8f3d29ef149. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



DCRat


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments

SHA256 hash: 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b8f3040eb8f3d29ef149
SHA3-384 hash: ec352aab5344276b7b8dc198ec4c6032c8f5a8035e7c9102e98e6cffe0b28409104141c4aaf2f5a73f4c0adf4d0d1cb5
SHA1 hash: a82d6bafcc260138eb11b4a511ff6f3e80441ce3
MD5 hash: a4d367f98a1fa3e594af0875379bda39
humanhash: failed-blue-michigan-quebec
File name:9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe
Download: download sample
Signature DCRat
File size:1'322'142 bytes
First seen:2022-01-14 18:13:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (171 x DCRat, 97 x NanoCore, 78 x njrat)
ssdeep 24576:U2G/nvxW3Ww0tbhHlmyb8uonlHQwhn/r+47:UbA30dH36+yn/a4
Threatray 1'221 similar samples on MalwareBazaar
TLSH T1A9556B037A84CD05E0A91677C6EF421483BDAD423AA2DB1A7E8F735D21113A35E1D6EF
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (63 x DCRat, 32 x RedLineStealer, 28 x njrat)
Reporter @abuse_ch
Tags:DCRat exe


Twitter
@abuse_ch
DCRat C2:
http://47.254.235.229/7/Universal/HttpFlower1Track/BigloadpacketCdn/localSecure/eternalPipebigloadsqldownloads.php

Intelligence


File Origin
# of uploads :
1
# of downloads :
290
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe
Verdict:
Malicious activity
Analysis date:
2022-01-14 18:17:36 UTC
Tags:
trojan rat backdoor dcrat

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
–°reating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
DNS request
Running batch commands
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Using the Windows Management Instrumentation requests
Launching a process
Creating a file in the system32 subdirectories
Creating a file in the Program Files subdirectories
Sending an HTTP GET request
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed packed replace.exe setupapi.dll shdocvw.dll shell32.dll update.exe
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Detection:
malicious
Classification:
troj
Score:
92 / 100
Signature
Antivirus detection for dropped file
Creates an autostart registry key pointing to binary in C:\Windows
Creates multiple autostart registry keys
Creates processes via WMI
Drops PE files with benign system names
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 553369 Sample: 9bdcc933d0c04da1fa41ba915c4... Startdate: 14/01/2022 Architecture: WINDOWS Score: 92 42 Found malware configuration 2->42 44 Antivirus detection for dropped file 2->44 46 Yara detected DCRat 2->46 48 3 other signatures 2->48 9 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe 3 6 2->9         started        12 wjIuhVBtfHXnMCZlWDoj.exe 3 2->12         started        15 lsass.exe 14 2 2->15         started        18 5 other processes 2->18 process3 dnsIp4 38 C:\...\refhostperfdllCommonsessionnetsvc.exe, PE32 9->38 dropped 20 wscript.exe 1 9->20         started        58 Antivirus detection for dropped file 12->58 60 Machine Learning detection for dropped file 12->60 40 47.254.235.229, 49780, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 15->40 file5 signatures6 process7 process8 22 cmd.exe 1 20->22         started        process9 24 refhostperfdllCommonsessionnetsvc.exe 4 11 22->24         started        28 conhost.exe 22->28         started        file10 32 C:\Windows\...\backgroundTaskHost.exe, PE32 24->32 dropped 34 C:\Users\user\Pictures\...\lsass.exe, PE32 24->34 dropped 36 C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe, PE32 24->36 dropped 50 Antivirus detection for dropped file 24->50 52 Machine Learning detection for dropped file 24->52 54 Creates multiple autostart registry keys 24->54 56 3 other signatures 24->56 30 refhostperfdllCommonsessionnetsvc.exe 2 24->30         started        signatures11 process12
Threat name:
ByteCode-MSIL.Infostealer.ClipBanker
Status:
Malicious
First seen:
2022-01-14 18:14:28 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
19 of 43 (44.19%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence suricata
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in System32 directory
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Process spawned unexpected child process
suricata: ET MALWARE DCRAT Activity (GET)
Unpacked files
SH256 hash:
469328a4f5a9fb3be135507247f3ee29945f72172ee1d3bea76548559572ea77
MD5 hash:
059b5596e2236be9af29604c24dcc91e
SHA1 hash:
0666ef8d1d17122891bec2ec7f4833747146ac69
SH256 hash:
08d8db67ddae643ce598dc41c4bf56156079461a79cdb2bdb5783eb6fd804b51
MD5 hash:
4e66ae5c311a1aadc1241790c112525f
SHA1 hash:
0e697de0a696e498897118d193e4ebc854ead1e2
SH256 hash:
9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b8f3040eb8f3d29ef149
MD5 hash:
a4d367f98a1fa3e594af0875379bda39
SHA1 hash:
a82d6bafcc260138eb11b4a511ff6f3e80441ce3

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://47.254.235.229/7/Universal/HttpFlower1Track/BigloadpacketCdn/localSecure/eternalPipebigloadsqldownloads.php https://threatfox.abuse.ch/ioc/295289

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments