MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 516b7bd1f6bf44033b1c80a7ca6044ad76ade2449d2c429940ff311fb661d5d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 516b7bd1f6bf44033b1c80a7ca6044ad76ade2449d2c429940ff311fb661d5d4
SHA3-384 hash: 9ab3e81be9327be234acc3a2344fdf4dcd48a47eb92cf833caa301b8e1631e40676fcce835e7b2695aa46514d0c2628c
SHA1 hash: 4a3fae5f80cab81b4a1c11554d1a0636b000d0d1
MD5 hash: 14f2f7c66c816fe71a3a3cbc133fe8bc
humanhash: north-fifteen-blossom-five
File name:14f2f7c66c816fe71a3a3cbc133fe8bc.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:6'144 bytes
First seen:2022-04-22 22:46:19 UTC
Last seen:2022-04-22 23:29:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 96:6wk9OjiwiRZIGvQ1kl+ttukvJNP4NaaJG5HQteoD1VEXV9l5o:T+wiXlvgkl+t4EEJGBoeoDnEXNm
Threatray 400 similar samples on MalwareBazaar
TLSH T18CC13A7A1450D835D91FD93309686C7105EE4EBC7D80D6319F92390CB7E1F8ADA72C96
TrID 42.7% (.EXE) Win32 Executable (generic) (4505/5/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://178.250.247.22/centralProtect/0/DatalifeImage/track/5imageBetter/Local/voiddb04longpoll/DefaultMariadb03/1/MariadbPipetemp3/mariadb/Geo/windowsVideoUploads/Processorpipecpu/43Eternalapi/processor/apiCentral/eternalApiPrivate/Videovm_Multilinux.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://178.250.247.22/centralProtect/0/DatalifeImage/track/5imageBetter/Local/voiddb04longpoll/DefaultMariadb03/1/MariadbPipetemp3/mariadb/Geo/windowsVideoUploads/Processorpipecpu/43Eternalapi/processor/apiCentral/eternalApiPrivate/Videovm_Multilinux.php https://threatfox.abuse.ch/ioc/526813/

Intelligence

File Origin
# of uploads :
2
# of downloads :
262
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/265937/
Detection(s):
SecuriteInfo.com.Trojan.Heur2.FU.aiW@aS19OHn.2060.14251.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Searching for the window
Creating a window
Creating a file
Using the Windows Management Instrumentation requests
Launching a process
Creating a file in the Windows subdirectories
Creating a file in the Program Files subdirectories
Query of malicious DNS domain
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Enabling autorun
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62633068448aa6d8879fb85f/reports/677b0c98-3b33-44f4-9c5b-b1ee373ac472/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8c7e7157-4d8a-4d13-8bbb-e2c85015f02c
Result
Threat name:
DCRat RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/981693
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the startup folder
Drops PE files with benign system names
Found API chain indicative of debugger detection
Found API chain with Download & Execute functionality
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sigma detected: File Created with System Process Name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected DCRat
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 614176 Sample: EnwBxFayJM.exe Startdate: 23/04/2022 Architecture: WINDOWS Score: 100 68 easyproducts.org 2->68 74 Multi AV Scanner detection for domain / URL 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 Antivirus detection for URL or domain 2->78 80 14 other signatures 2->80 8 EnwBxFayJM.exe 23 2->8         started        13 RegHost.exe 1 1 2->13         started        15 schtasks.exe 2->15         started        17 12 other processes 2->17 signatures3 process4 dnsIp5 72 bhujanggawaisnawa.com 185.173.93.87, 49720, 80 ADMAN-ASRU Russian Federation 8->72 60 C:\Users\user\AppData\...\kzsAJSKda11pn.exe, PE32 8->60 dropped 62 C:\Users\user\AppData\Local\...\Y5ZktrUW.exe, PE32 8->62 dropped 64 C:\Users\user\AppData\...\SSPqbzyPVu.exe, PE32 8->64 dropped 66 7 other files (5 malicious) 8->66 dropped 106 Found API chain indicative of debugger detection 8->106 108 Found API chain with Download & Execute functionality 8->108 110 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 8->110 19 Y5ZktrUW.exe 5 12 8->19         started        23 JYs7Ih4RLucyg.exe 1 5 8->23         started        26 SSPqbzyPVu.exe 1 8->26         started        32 2 other processes 8->32 112 Creates multiple autostart registry keys 13->112 114 Writes to foreign memory regions 13->114 116 Allocates memory in foreign processes 13->116 118 2 other signatures 13->118 28 conhost.exe 13->28         started        30 bfsvc.exe 1 13->30         started        file6 signatures7 process8 dnsIp9 42 C:\Users\Default\AppData\...\SZpeDxOjfXwC.exe, PE32 19->42 dropped 44 C:\Program Files\...\ctfmon.exe, PE32 19->44 dropped 46 C:\Program Files\...\kzsAJSKda11pn.exe, PE32 19->46 dropped 48 C:\Program Files (x86)\...\explorer.exe, PE32 19->48 dropped 82 Antivirus detection for dropped file 19->82 84 Detected unpacking (overwrites its own PE header) 19->84 86 Creates an undocumented autostart registry key 19->86 104 3 other signatures 19->104 70 185.137.234.33, 49748, 49749, 8080 SELECTELRU Russian Federation 23->70 50 C:\Users\user\AppData\Roaming\...\RegHost.exe, PE32+ 23->50 dropped 56 3 other files (none is malicious) 23->56 dropped 88 Injects code into the Windows Explorer (explorer.exe) 23->88 90 Writes to foreign memory regions 23->90 92 Allocates memory in foreign processes 23->92 94 Modifies the context of a thread in another process (thread injection) 23->94 34 conhost.exe 23->34         started        36 bfsvc.exe 1 23->36         started        96 Detected unpacking (changes PE section rights) 26->96 98 Machine Learning detection for dropped file 26->98 100 Injects a PE file into a foreign processes 26->100 38 conhost.exe 26->38         started        52 C:\Users\user\AppData\...\kzsAJSKda11pn.exe, PE32 32->52 dropped 54 C:\Users\user\AppData\Local\...\quartz.dll, PE32 32->54 dropped 58 18 other files (none is malicious) 32->58 dropped 102 Drops PE files to the startup folder 32->102 40 kzsAJSKda11pn.exe 32->40         started        file10 signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/516b7bd1f6bf44033b1c80a7ca6044ad76ade2449d2c429940ff311fb661d5d4/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-04-22 02:05:00 UTC
File Type:
PE (Exe)
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kfvxxupwx5cagoy4qct4uycevv3k3ysetuwefgka74yr7ntb2xka._file
Verdict:
malicious
Similar samples:
18d3c86e8cf3eef27c596430279fade1c4c46b3ed4e59de2912ef2c803e13e32
DCRat
24cf5566094b9c99b75303995b503b3285531d1313658f318a931424c9ef46d3
DCRat
3e1a6299d80d53a831c2e6759ce2ac41e6d9aa6603cb2a1df7efbfb86debefa5
DCRat
64167843dc46d3b064e1258f917aba66d86c9f42958cc83e7c348f314a22abc8
DCRat
bf7cfd220d44eba42f39dc189cef99116ca1036f43a9324b9cc3f04bb7a19d6f
DCRat
d87d068e5cb1719d523dbeeff0306d360ab4d4f4efa1ba6accf61b2c3a5516e1
DCRat
fe7e378c72ec43fca46360a46a8fc8c0d5ec0f4739ce3286610774fdec47edda
DCRat
+ 390 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer persistence rat spyware stealer upx
Link:
https://tria.ge/reports/220422-2qhp5sghc2/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
DcRat
Modifies WinLogon for persistence
Process spawned unexpected child process
Unpacked files
SH256 hash:
516b7bd1f6bf44033b1c80a7ca6044ad76ade2449d2c429940ff311fb661d5d4
MD5 hash:
14f2f7c66c816fe71a3a3cbc133fe8bc
SHA1 hash:
4a3fae5f80cab81b4a1c11554d1a0636b000d0d1
Link:
https://www.unpac.me/results/9225155e-e16c-4f87-ba0c-e4acb58e1ed6/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/516b7bd1f6bf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/516b7bd1f6bf44033b1c80a7ca6044ad76ade2449d2c429940ff311fb661d5d4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/265937/

Comments