MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d88e62b7da45ea1be4c02dec30b6a31b53d42c31d1785f4a992e55c0147d825. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Lucifer


Vendor detections: 7


Intelligence 7 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9d88e62b7da45ea1be4c02dec30b6a31b53d42c31d1785f4a992e55c0147d825
SHA3-384 hash: be4f4d437d6f1149cd5e01a5e43ec2e2c283ebd1cde1b6de320c845c2cfbcf54222b8c84952d7366ea665c5347eb93fe
SHA1 hash: 6feb62df029b7857db90f5d722eb390e7ffe0f52
MD5 hash: fcdd36fea59663dd97eb71087a061ce8
humanhash: zebra-rugby-king-echo
File name:fcdd36fea59663dd97eb71087a061ce8.exe
Download: download sample
Signature Lucifer
Create hunting rule
File size:400'792 bytes
First seen:2021-07-07 08:06:19 UTC
Last seen:2021-07-07 08:47:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a50e815adb2cfe3e58d388c791946db8 (2 x njrat, 2 x DCRat, 1 x Lucifer)
ssdeep 12288:OoXW6nQZdzoRvaTp6Vle9ds81W7zoSlExB:OoHnikokvgd11Wov
Threatray 51 similar samples on MalwareBazaar
TLSH 88841203F3A68186D4055970AA6B43256F78FEEE3EC14414735AB3DE9DB2702DF3A216
Reporter abuse_ch
Tags:exe Lucifer


Avatar
abuse_ch
Lucifer C2:
http://62.109.6.34/Multisql.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://62.109.6.34/Multisql.php https://threatfox.abuse.ch/ioc/158250/

Intelligence

File Origin
# of uploads :
2
# of downloads :
205
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fcdd36fea59663dd97eb71087a061ce8.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-07 08:08:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/307f0157-6af5-44fe-b6b5-b8808ca8c67b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170138/
Detection(s):
PUA.Win.Packer.Upx-4
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d6c02b9a-e8f5-49dd-ae87-385eeba78717
Result
Threat name:
DCRat Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/812744
Signature
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Schedule system process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Wscript starts Powershell (via cmd or directly)
Yara detected BatToExe compiled binary
Yara detected DCRat
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 445155 Sample: OMJe815AqT.exe Startdate: 07/07/2021 Architecture: WINDOWS Score: 100 122 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->122 124 Found malware configuration 2->124 126 Multi AV Scanner detection for dropped file 2->126 128 8 other signatures 2->128 12 OMJe815AqT.exe 9 2->12         started        15 MicrosoftApi.exe 2->15         started        18 fontdrvhost.exe 2->18         started        process3 dnsIp4 112 C:\Users\user\AppData\Local\Temp\...\extd.exe, PE32 12->112 dropped 21 cmd.exe 3 12->21         started        120 51.254.241.28, 49737, 49738, 49739 OVHFR France 15->120 114 C:\Users\user\AppData\...\ScreanDriver.exe, PE32+ 15->114 dropped 24 ScreanDriver.exe 15->24         started        130 Multi AV Scanner detection for dropped file 18->130 132 Machine Learning detection for dropped file 18->132 134 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 18->134 file5 signatures6 process7 signatures8 146 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->146 148 Wscript starts Powershell (via cmd or directly) 21->148 150 Uses ping.exe to sleep 21->150 156 3 other signatures 21->156 26 cc.exe 3 6 21->26         started        30 Miner.exe 2 5 21->30         started        32 conhost.exe 21->32         started        34 4 other processes 21->34 152 Multi AV Scanner detection for dropped file 24->152 154 Machine Learning detection for dropped file 24->154 process9 dnsIp10 100 C:\...\FontSavesperfsvcfontrefSession.exe, PE32 26->100 dropped 102 C:\FontSavesperfsvc\dZM0EoA4ORDa8.bat, ASCII 26->102 dropped 166 Multi AV Scanner detection for dropped file 26->166 168 Machine Learning detection for dropped file 26->168 37 wscript.exe 1 26->37         started        104 C:\Users\user\AppData\...\MicrosoftApi.exe, PE32+ 30->104 dropped 106 C:\Users\user\...\ICSharpCode.SharpZipLib.dll, PE32 30->106 dropped 170 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 30->170 40 MicrosoftApi.exe 1 5 30->40         started        116 162.159.129.233, 443, 49719 CLOUDFLARENETUS United States 34->116 118 cdn.discordapp.com 162.159.130.233, 443, 49716 CLOUDFLARENETUS United States 34->118 108 C:\Users\user\AppData\Local\Temp\...\cc.exe, PE32 34->108 dropped 110 C:\Users\user\AppData\Local\...\Miner.exe, PE32+ 34->110 dropped file11 signatures12 process13 signatures14 158 Wscript starts Powershell (via cmd or directly) 37->158 42 cmd.exe 37->42         started        160 Multi AV Scanner detection for dropped file 40->160 162 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 40->162 164 Machine Learning detection for dropped file 40->164 44 cmd.exe 40->44         started        47 cmd.exe 40->47         started        process15 signatures16 49 FontSavesperfsvcfontrefSession.exe 42->49         started        53 conhost.exe 42->53         started        172 Wscript starts Powershell (via cmd or directly) 44->172 174 Adds a directory exclusion to Windows Defender 44->174 55 conhost.exe 44->55         started        57 timeout.exe 44->57         started        59 powershell.exe 44->59         started        61 conhost.exe 47->61         started        63 timeout.exe 47->63         started        65 schtasks.exe 47->65         started        process17 file18 92 C:\Windows\...\backgroundTaskHost.exe, PE32 49->92 dropped 94 C:\Windows\System32\...\RuntimeBroker.exe, PE32 49->94 dropped 96 C:\Recovery\taskhostw.exe, PE32 49->96 dropped 98 C:\FontSavesperfsvc\fontdrvhost.exe, PE32 49->98 dropped 136 Multi AV Scanner detection for dropped file 49->136 138 Machine Learning detection for dropped file 49->138 140 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 49->140 142 Hides that the sample has been downloaded from the Internet (zone.identifier) 49->142 67 cmd.exe 49->67         started        70 schtasks.exe 49->70         started        72 schtasks.exe 49->72         started        74 2 other processes 49->74 signatures19 process20 signatures21 144 Uses ping.exe to sleep 67->144 76 conhost.exe 67->76         started        78 chcp.com 67->78         started        80 PING.EXE 67->80         started        82 fontdrvhost.exe 67->82         started        84 conhost.exe 70->84         started        86 conhost.exe 72->86         started        88 conhost.exe 74->88         started        90 conhost.exe 74->90         started        process22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9d88e62b7da45ea1be4c02dec30b6a31b53d42c31d1785f4a992e55c0147d825/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tweomk35urpkdpsmalpmgc3kgg2t2qwddulyl5fjslsvyakh3asq._file
Verdict:
malicious
Similar samples:
043933cf2d619c6da0e932c3e7a302f210f3ae09d924379f8ae257c9c291e292
Lucifer
2131b75617c740ddba1b808e0decc1e7054e34e6ce51c91bc4b848a52050e728
Lucifer
23373334a8179c86c6873e56c035ba848ea8023e2d717fc449b7f29ac2455657
Lucifer
3194e2fb68c007cf2f6deaa1fb07b2cc68292ee87f37dff70ba142377e2ca1fa
Lucifer
72b38e37d119820ef038c7051360d5c7e1e1507bb98a7be19eea089379d0d793
Lucifer
748f35be261019103aae31d43b1fa88fda9cbc99043122e76b5c0a0d94cb808f
Lucifer
aebfeecd15596e7b6b4a739157229d3a0e1ea320e9352e4e725663b5a4f367b1
Lucifer
b7700c66e40ddd73a718794c1f295d1a56251aa0cdb89b215120a09bb5e61e9e
Lucifer
c73fd1810d771974cff5f436a14f76cb3cbeb442baf97f3553ba99cf118bc337
Lucifer
d700e68d1c067c7bb297805d8429aa95cde9b6ec484c490ebdb01fc9689b1a31
Lucifer
+ 41 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer rat upx
Link:
https://tria.ge/reports/210707-8mlynqv89e/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies registry class
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in System32 directory
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
DCRat Payload
DcRat
Unpacked files
SH256 hash:
7073c038931a5b7bd91d70b125274e99d7e4be800c125b41b343ff3e560d410d
MD5 hash:
58f1d59b829ff9e82912508d976b7920
SHA1 hash:
dcdd8aad1f4d681eea66089fccf0f0040486b884
Link:
https://www.unpac.me/results/dc997a8a-050b-43e9-92a9-9d12637aa999/
SH256 hash:
b06c37319ac87432fad5060617d0da5ff42678fd751691106a24aa13b34349f9
MD5 hash:
2ccf0df55034b0dced79a2939513869c
SHA1 hash:
401eb6c60d6484e5b5f7f2bdf140f39b709e3ca6
Link:
https://www.unpac.me/results/dc997a8a-050b-43e9-92a9-9d12637aa999/
SH256 hash:
9d88e62b7da45ea1be4c02dec30b6a31b53d42c31d1785f4a992e55c0147d825
MD5 hash:
fcdd36fea59663dd97eb71087a061ce8
SHA1 hash:
6feb62df029b7857db90f5d722eb390e7ffe0f52
Link:
https://www.unpac.me/results/dc997a8a-050b-43e9-92a9-9d12637aa999/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/9d88e62b7da45ea1be4c02dec30b6a31b53d42c31d1785f4a992e55c0147d825

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:INDICATOR_KB_CERT_62e745e92165213c971f5c490aea12a5
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/170138/

Comments