MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 151a6ee585c2f164b0adf97bb404558186293d218eda29d8f9ec25f67c706aa6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 151a6ee585c2f164b0adf97bb404558186293d218eda29d8f9ec25f67c706aa6
SHA3-384 hash: 4270c5205bc566b195247e31fe3c53099add0e0bf428860eed52d0ee879dd1781b8162e7ed24ee476b7fc74d1f9e0361
SHA1 hash: 14b6c6ad2308ecc71a921876ca684f0ca531a945
MD5 hash: cb7828d2c749261635d4509ba51904e5
humanhash: green-xray-black-apart
File name:151a6ee585c2f164b0adf97bb404558186293d218eda2.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'011'200 bytes
First seen:2023-02-14 19:13:16 UTC
Last seen:2023-02-14 20:33:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4daca7182a967075c4a8cd470c438efe (7 x RedLineStealer, 3 x Vidar, 1 x DCRat)
ssdeep 24576:Z5aInSOZb08lO/uM4bxhD1PTgX9dxsGcj2wIopXAHYq4:ZQIvPXQxJb2
TLSH T16225AD5025A81DE3F5EB9EFF2A2156AAF913643F456E270A120DD4F0C92E14293BC7C7
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://94.142.138.30/temporaryPolllocal/SecureauthSqlWindowscdn.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
211
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
151a6ee585c2f164b0adf97bb404558186293d218eda2.exe
Verdict:
Malicious activity
Analysis date:
2023-02-14 19:24:23 UTC
Tags:
trojan rat backdoor dcrat stealer
Link:
https://app.any.run/tasks/192e19ff-93a8-4228-9053-7120e24a86ba

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DCRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/366036/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.7358.29874.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% directory
Reading critical registry keys
DNS request
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Creating a file
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/69849/overview
Behaviour
MalwareBazaar
MeasuringTime
CPUID_Instruction
SystemUptime
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/63ebdd7b6ea97adc8fc229af/reports/6f98dcba-0f0b-46a5-9933-036e036df718/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/151a6ee585c2f164b0adf97bb404558186293d218eda29d8f9ec25f67c706aa6
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/de7b103d-6159-4613-a3da-4ef95dc3d5a9
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1175351
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/151a6ee585c2f164b0adf97bb404558186293d218eda29d8f9ec25f67c706aa6/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-02-14 19:14:31 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cung5zmfylywjmfn7f53ibcvqgdcspjbr3nctwhz5qs7m7dqnkta._file
Verdict:
malicious
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer rat spyware
Link:
https://tria.ge/reports/230214-xxm6zsfe76/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
DCRat payload
DcRat
Unpacked files
SH256 hash:
18fe48031a18449fab109af60ba11c09558d0a388962c14c1be453aff9126c0f
MD5 hash:
ad122d61ca248b162cc410a0d8220ee5
SHA1 hash:
c0c0f96efde22b527c90d8b3552f0a5584e317bb
Link:
https://www.unpac.me/results/a4e2538f-5ad7-4df4-a233-fdd078d3b2cc/
SH256 hash:
8e70b153c0c449b40027879028371cf86d0755b2fa86f380f33c1579a2873c46
MD5 hash:
bfbc04b2441b9609e1704ffa781d2514
SHA1 hash:
2b271bb94d6217130c0ebb1d1dc4eb56224198c8
Link:
https://www.unpac.me/results/a4e2538f-5ad7-4df4-a233-fdd078d3b2cc/
SH256 hash:
e16d31256434834519f0fc54095f9a5e03700adaba2e51a75dad1ab581441323
MD5 hash:
1edd3839f47ae345890b4dc71ba6cfe5
SHA1 hash:
0b6593476cd3f7a7292c1e5f63e137aebb147708
Link:
https://www.unpac.me/results/a4e2538f-5ad7-4df4-a233-fdd078d3b2cc/
SH256 hash:
ee61e4afb3501fff54d6602fe8fd31ef86244d74aa699249121029a075cd5405
MD5 hash:
cd23cb61dea04b46354d90687bffab15
SHA1 hash:
c7719d4787204b5d9be628383c1ca2d5c8e7c83c
Link:
https://www.unpac.me/results/a4e2538f-5ad7-4df4-a233-fdd078d3b2cc/
SH256 hash:
151a6ee585c2f164b0adf97bb404558186293d218eda29d8f9ec25f67c706aa6
MD5 hash:
cb7828d2c749261635d4509ba51904e5
SHA1 hash:
14b6c6ad2308ecc71a921876ca684f0ca531a945
Link:
https://www.unpac.me/results/a4e2538f-5ad7-4df4-a233-fdd078d3b2cc/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/151a6ee585c2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/151a6ee585c2f164b0adf97bb404558186293d218eda29d8f9ec25f67c706aa6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
Create hunting rule
Author:ditekSHen
Description:Detects executables containing bas64 encoded gzip files
Rule name:MALWARE_Win_DCRat
Create hunting rule
Author:ditekSHen
Description:DCRat payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe 151a6ee585c2f164b0adf97bb404558186293d218eda29d8f9ec25f67c706aa6

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/366036/
  
URLhaus
https://urlhaus.abuse.ch/url/2540883/
  
Delivery method
Distributed via web download

Comments