MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a383c7b6e389b8833ed16634012642bd77012fd57ce4e9cd7f7119a9b54fa25a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DCRat

Vendor detections: 15

Intelligence 15 IOCs YARA 1 File information Comments

SHA256 hash:	a383c7b6e389b8833ed16634012642bd77012fd57ce4e9cd7f7119a9b54fa25a
SHA3-384 hash:	fd3deb7b6e7cb38dbc0751450fb2e0eda2b6a88b2ee3ecb468abafb95b108d3543550838396c2d521ac8460b91fe6983
SHA1 hash:	de13d63552fc88f13650839f8a247715e33fce53
MD5 hash:	193a5515273a1b7b81930e33ca08ab40
humanhash:	ack-ink-december-romeo
File name:	193a5515273a1b7b81930e33ca08ab40.exe
Download:	download sample
Signature	DCRat Create hunting rule
File size:	3'174'793 bytes
First seen:	2022-11-03 14:47:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	09d7f8249a36bc0ff07a4d3c56b1a15e (6 x RedLineStealer, 2 x ArkeiStealer, 2 x DCRat)
ssdeep	49152:7+SJjnVeivI/4jqo4ynJfHO6Ms124t1Af4Fl3k:7+SJjnVema4j1rRuV54t1Af5
Threatray	1'272 similar samples on MalwareBazaar
TLSH	T12EE55C539A8B4D75CDD23BB0A1CB633A9734FD30CE6A8B7FA608C52959532C56C1A703
TrID	33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 21.3% (.EXE) Win64 Executable (generic) (10523/12/4) 13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter	abuse_ch
Tags:	DCRat exe

abuse_ch

DCRat C2:
http://78.24.223.53/cpudump/_/LocalExternal2/processorDleCentralVm/cputemp/3/Cpu05/_DleLongpoll/Authwp2/dbpublic.php

Intelligence

File Origin

# of uploads :

# of downloads :

229

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

dcrat

ID:

File name:

193a5515273a1b7b81930e33ca08ab40.exe

Verdict:

Malicious activity

Analysis date:

2022-11-03 14:49:58 UTC

Tags:

trojan rat backdoor dcrat

Link:

https://app.any.run/tasks/152b0586-8424-4ba3-9f0a-c58f8cbdb98d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/328029/

Detection(s):

Win.Trojan.Redlinestealer-9972821-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/48053/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-debug anti-vm overlay packed spyeye

Link:

https://www.filescan.io/uploads/6363dfd39660cb122d420c92/reports/955badfe-28c0-4737-b1b7-832bb493c945/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/564d0f27-3752-4897-a452-7474e45251b9

Result

Threat name:

DCRat

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1104471

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected DCRat

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a383c7b6e389b8833ed16634012642bd77012fd57ce4e9cd7f7119a9b54fa25a/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2022-09-30 14:40:56 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 41 (60.98%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=uob4pnxdrg4igpwrmy2acjscxv3qcl6vptsottl7oem2tnkpujna._file

Verdict:

malicious

DCRat

2fe888b1c7062ed3e7f339e0db422059ae41232027c8298d866760a5a2baa40b

DCRat

5575ce5413466ad2665bb5c91f1dd17b87ce2dd5bdacae8ea980c4df2718ad63

DCRat

9f68a07d0d8cdd3fbba1221364a831db079ee1787a1dbe1203ff4967ad88d77a

DCRat

a755ddce5ccba523434a36c677d058baef63ecb90e33670a96a70efc7978d411

DCRat

d56a39deca5258feb3a5d7b7488103e9950adbf25435655cf32050b08986f606

DCRat

+ 1'262 additional samples on MalwareBazaar

Result

Malware family:

dcrat

Score:

10/10

Tags:

family:dcrat infostealer rat

Link:

https://tria.ge/reports/221103-r6ey3sdgdl/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

DCRat payload

DcRat

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/4fe36fc8-1edc-4da6-983b-af0af1e3e13c

Unpacked files

SH256 hash:

9a89de18967cf0dab1f6b63a22ae6f55422ee048d7d97f75a4c731218da2dad2

MD5 hash:

810de7b3e186d7cce3df22e9b9cb05db

SHA1 hash:

4fa7808308ab1298ba9303dfa300aceae7ec96f6

Link:

https://www.unpac.me/results/bb8e4239-4510-4d7e-ad4b-65f0b591c1e9/

SH256 hash:

26c0dc50eaa98a2977c1ed22f841f28d067be0e03764a644df6899abfb0dedc6

MD5 hash:

e5bb78021cdd2f380d48af15529f3b83

SHA1 hash:

583c57cc51976fda0eb44f621fa3098e0e3726a0

Link:

https://www.unpac.me/results/bb8e4239-4510-4d7e-ad4b-65f0b591c1e9/

SH256 hash:

a383c7b6e389b8833ed16634012642bd77012fd57ce4e9cd7f7119a9b54fa25a

MD5 hash:

193a5515273a1b7b81930e33ca08ab40

SHA1 hash:

de13d63552fc88f13650839f8a247715e33fce53

Link:

https://www.unpac.me/results/bb8e4239-4510-4d7e-ad4b-65f0b591c1e9/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a383c7b6e389b8833ed16634012642bd77012fd57ce4e9cd7f7119a9b54fa25a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AppLaunch Create hunting rule
Author:	iam-py-test
Description:	Detect files referencing .Net AppLaunch.exe

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/328029/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample