MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1fab157d0875965581784c280d4b74c0adef81be4c002563732dd004207ff8ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1fab157d0875965581784c280d4b74c0adef81be4c002563732dd004207ff8ae
SHA3-384 hash: 69d2f2d0c9c3fa3f4d772dccfce0dc8486a0d1c3cd94b74727cfe8f1282f6d1fc52cf9029bdd1bf6f9287e69c32a929b
SHA1 hash: c045f3749a73752c766e315d52964c1c7482736e
MD5 hash: 644ba574ccf34cab7c0cf6efbe56d3f5
humanhash: illinois-kansas-lemon-march
File name:644ba574ccf34cab7c0cf6efbe56d3f5.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'439'180 bytes
First seen:2022-01-16 20:26:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d7dd6fa75115d9909f747434e40fff68 (173 x RedLineStealer, 10 x DCRat, 1 x CoinMiner.XMRig)
ssdeep 24576:qTPz9MZKWep6nXDlTtNbWeO9OzqZhnxLjcnCux8ibVTTxkEaHNYK3O1ZOeQqW:GOYWep6XDdzbUCq/nxsnCa3xNaWPQt
Threatray 2'743 similar samples on MalwareBazaar
TLSH T1976523DE4785666ACE01DFF05D5A4F1B81B106E9AA48296FBD3807863772053FB3089F
File icon (PE):PE icon
dhash icon f0f0d0b4ccd4f0f0 (1 x DCRat)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
92.38.241.101:36778

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
92.38.241.101:36778 https://threatfox.abuse.ch/ioc/295763/

Intelligence

File Origin
# of uploads :
1
# of downloads :
273
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
644ba574ccf34cab7c0cf6efbe56d3f5.exe
Verdict:
Malicious activity
Analysis date:
2022-01-16 20:29:21 UTC
Tags:
trojan rat redline loader
Link:
https://app.any.run/tasks/bd7adfb1-7efc-4789-87d5-360bf27792da

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/219653/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61e47f981883c5ba4ed511a5/reports/7b25b8df-714f-4d65-9228-c329e5c88cde/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b2e00fd2-9c69-477c-bef6-b92d57ac878b
Result
Threat name:
DCRat RedLine TVrat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/921469
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Executable Used by PlugX in Uncommon Location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected DCRat
Yara detected RedLine Stealer
Yara detected TVrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 553947 Sample: 3aJqOjkYXO.exe Startdate: 16/01/2022 Architecture: WINDOWS Score: 100 60 id.xn--80akicokc0aablc.xn--p1ai 2->60 90 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->90 92 Antivirus detection for dropped file 2->92 94 Antivirus / Scanner detection for submitted sample 2->94 96 13 other signatures 2->96 9 3aJqOjkYXO.exe 15 7 2->9         started        14 ast.exe 2->14         started        signatures3 process4 dnsIp5 70 theagencymg.com 91.219.60.60, 49756, 80 YANINA-ASUA Ukraine 9->70 52 C:\Users\user\AppData\Local\Temp\re.exe, PE32 9->52 dropped 54 C:\Users\user\AppData\Local\Temp\rc.exe, PE32 9->54 dropped 56 C:\Users\user\AppData\Local\Temp\as.exe, PE32 9->56 dropped 58 C:\Users\user\AppData\...\3aJqOjkYXO.exe.log, ASCII 9->58 dropped 114 Detected unpacking (changes PE section rights) 9->114 116 Detected unpacking (overwrites its own PE header) 9->116 118 Query firmware table information (likely to detect VMs) 9->118 120 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->120 16 re.exe 9->16         started        19 as.exe 54 9->19         started        22 rc.exe 4 9->22         started        file6 signatures7 process8 file9 72 Machine Learning detection for dropped file 16->72 74 Writes to foreign memory regions 16->74 76 Allocates memory in foreign processes 16->76 78 Injects a PE file into a foreign processes 16->78 24 AppLaunch.exe 5 16->24         started        28 WerFault.exe 23 9 16->28         started        30 WerFault.exe 16->30         started        34 2 other processes 16->34 42 C:\Users\user\AppData\Local\Temp\...\ast.exe, PE32 19->42 dropped 44 C:\Users\user\AppData\...\vcruntime140.dll, PE32 19->44 dropped 46 C:\Users\user\AppData\Local\...\vcomp140.dll, PE32 19->46 dropped 50 22 other files (none is malicious) 19->50 dropped 80 Multi AV Scanner detection for dropped file 19->80 32 cmd.exe 19->32         started        48 C:\Program Files (x86)\...\SearchUI.exe, PE32 22->48 dropped 82 Antivirus detection for dropped file 22->82 84 Detected unpacking (changes PE section rights) 22->84 86 Detected unpacking (overwrites its own PE header) 22->86 88 2 other signatures 22->88 signatures10 process11 dnsIp12 68 92.38.241.101, 36778, 49782 DINET-ASRU Russian Federation 24->68 106 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 24->106 108 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 24->108 110 Tries to harvest and steal browser information (history, passwords, etc) 24->110 112 Tries to steal Crypto Currency Wallets 24->112 36 ast.exe 32->36         started        40 conhost.exe 32->40         started        signatures13 process14 dnsIp15 62 id.xn--80akicokc0aablc.xn--p1ai 212.193.169.74, 443, 44335, 49799 SAFIB-ASRU Russian Federation 36->62 64 193.228.110.60, 44444, 49818 ROSTELECOM-ASRU Russian Federation 36->64 66 3 other IPs or domains 36->66 98 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 36->98 100 Tries to delay execution (extensive OutputDebugStringW loop) 36->100 102 Tries to evade analysis by execution special instruction which cause usermode exception 36->102 104 2 other signatures 36->104 signatures16
Gathering data
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-01-16 20:27:15 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
25 of 27 (92.59%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=d6vrk7iiowlflalyjqua2s3uycw67an6jqacky3tfxiaiid77cxa._file
Verdict:
malicious
Similar samples:
1fab157d0875965581784c280d4b74c0adef81be4c002563732dd004207ff8ae
DCRat
25cd127b9d559d6754269ecc116d35be66aca027640bcd71a836567c32b946c5
DCRat
56b881db1ae0588748f3b27a3fc1691630771373901fbe8aad19ebb0a58552ef
DCRat
721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589
DCRat
89ed0d6aa2b4dc137a6708847ca6e2504f52e23f1dfc6dd6057797610e7271d7
DCRat
cfa1ef201a4dec456d4d6ffddc96267fcbf212f45616223fc8b3c675639f055b
DCRat
eb24b3b9375f0b3272fac6eecc9329f79eab274d802b2ad37037cc83a46fa3f1
DCRat
ef73634b7054d9171a92b879afeaa2318bb54ec16502f854337644a2a678014f
DCRat
+ 2'733 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence spyware stealer trojan
Link:
https://tria.ge/reports/220116-y8d8wsgba2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in System32 directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks whether UAC is enabled
Looks up external IP address via web service
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Process spawned unexpected child process
Unpacked files
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/d61ee918-e223-41f7-8c37-d5b8061534c2/
SH256 hash:
1fab157d0875965581784c280d4b74c0adef81be4c002563732dd004207ff8ae
MD5 hash:
644ba574ccf34cab7c0cf6efbe56d3f5
SHA1 hash:
c045f3749a73752c766e315d52964c1c7482736e
Link:
https://www.unpac.me/results/d61ee918-e223-41f7-8c37-d5b8061534c2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.91
Link:
https://yomi.yoroi.company/submissions/1fab157d0875965581784c280d4b74c0adef81be4c002563732dd004207ff8ae

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/219653/

Comments