MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 155b1010e6d44848c9db2783ad51a5add20599bbedbbc5bcb5ea09aa900bd9bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DCRat

Vendor detections: 8

Intelligence 8 IOCs 1 YARA 7 File information Comments

SHA256 hash:	155b1010e6d44848c9db2783ad51a5add20599bbedbbc5bcb5ea09aa900bd9bf
SHA3-384 hash:	b4e049bc47d9e02c673da03f59744201e8ce00339a6f0e12530f76eeb2060ad92dbe64c04f4913632222bc1daf9d641b
SHA1 hash:	215a4a562c2b307e3200c47668fc8835cb3d22a1
MD5 hash:	b1f117279a9bfb4feda8f952e4da8b64
humanhash:	london-fanta-ten-alabama
File name:	b1f117279a9bfb4feda8f952e4da8b64.exe
Download:	download sample
Signature	DCRat Create hunting rule
File size:	472'064 bytes
First seen:	2021-12-20 11:47:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9db0f09e307455cc50f9334aee64e00d (1 x DCRat)
ssdeep	12288:vUHxpq3/ztHoF8JGX9SM+bQ1nqQO13awjbSya/2SOA:vkTq3/ztHoF8Jo9/+bknejOya/22
Threatray	119 similar samples on MalwareBazaar
TLSH	T1BFA4DFECF98A8871D2DE2E7155661FC5772BAE061131F52E35620784CA0FB90740EAFE
File icon (PE):
dhash icon	a9e456476d353525 (1 x DCRat)
Reporter	abuse_ch
Tags:	DCRat exe

abuse_ch

DCRat C2:
http://51.91.193.177/6GeoGenerator8/Mariadb80wordpress/Dle9/0/ExternalcpuPublic.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://51.91.193.177/6GeoGenerator8/Mariadb80wordpress/Dle9/0/ExternalcpuPublic.php	https://threatfox.abuse.ch/ioc/278006/

Intelligence

File Origin

# of uploads :

# of downloads :

160

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/215450/

Result

Verdict:

Clean

Maliciousness:

Behaviour

DNS request

Result

Malware family:

n/a

Score:

10/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/2747/overview

Behaviour

MalwareBazaar

CallSleep

MeasuringTime

SystemUptime

CheckNumberOfProcessor

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm clipbanker

Link:

https://www.filescan.io/uploads/61c06d754ab5c44cbf4a2eab/reports/62219caf-1f37-404b-82d5-b9f095fe48ea/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/bff1f3b3-9b2b-4b31-8c56-56086dd46219

Result

Threat name:

DCRat

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/910231

Signature

.NET source code contains potential unpacker

.NET source code contains very large strings

Allocates memory in foreign processes

Contains functionality to detect sleep reduction / modifications

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Yara detected DCRat

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/155b1010e6d44848c9db2783ad51a5add20599bbedbbc5bcb5ea09aa900bd9bf/

Threat name:

Win32.Trojan.Bingoml

Status:

Malicious

First seen:

2021-12-18 05:06:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 43 (39.53%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=cvnraehg2reerso3e6b22unfvxjalgn35w54lpfv5ie2veal3g7q._file

Verdict:

malicious

DCRat

152004814ccba2caa852c095f8e6b03ba70c4ee613d208fcdbfeb8460069b6c4

DCRat

7a6e41f3064591e019a73c83144ab390ef45d47d1c66e7db3b2ec17ce6c4af65

DCRat

9eb993a0a54cb16395aced5282b948d7d154722fe052e3f9cb139a34f063f04f

DCRat

accd96ee4dc62f2aee23f7f53c109b5249965d60d023f51e9924c3edc1951676

DCRat

fadb8eb7a7e20388dd3f9cf66171ae8d1c1e0845aed740ea58fa432c69bbaa7e

DCRat

+ 109 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/211220-nyfzmabccl/

Unpacked files

SH256 hash:

4d95e78bb8e3847805c34450dce2da1f2b9f33cc1412281878b1a31c7db5c7b3

MD5 hash:

631952acdb73b96c90f83634e6c5d7c2

SHA1 hash:

886c9323ff1b246a0f2a8ab0a2222ef79f10ce44

Link:

https://www.unpac.me/results/162c7877-11a9-43ff-b169-4ec004744f3e/

SH256 hash:

daafb7d6b503333abd8cd7fb922576dad7f2959cce6d361c162679cacabcd504

MD5 hash:

d01aff8ad9b6ae50bb1ba0600c4e8730

SHA1 hash:

c42ea6a5d4be00c0fdb0ded8b9da5262d6c5fe62

Link:

https://www.unpac.me/results/162c7877-11a9-43ff-b169-4ec004744f3e/

SH256 hash:

155b1010e6d44848c9db2783ad51a5add20599bbedbbc5bcb5ea09aa900bd9bf

MD5 hash:

b1f117279a9bfb4feda8f952e4da8b64

SHA1 hash:

215a4a562c2b307e3200c47668fc8835cb3d22a1

Link:

https://www.unpac.me/results/162c7877-11a9-43ff-b169-4ec004744f3e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/155b1010e6d44848c9db2783ad51a5add20599bbedbbc5bcb5ea09aa900bd9bf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing bas64 encoded gzip files

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	MALWARE_Win_AsyncRAT Create hunting rule
Author:	ditekSHen
Description:	Detects AsyncRAT

Rule name:	MALWARE_Win_DCRat Create hunting rule
Author:	ditekSHen
Description:	DCRat payload

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/215450/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample