MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa107f5e13a95804d5175acac905b539a676f71f582e5ca512dea9f8382f294e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa107f5e13a95804d5175acac905b539a676f71f582e5ca512dea9f8382f294e
SHA3-384 hash: 544740560e78fa090123cf7a44cd894f8654ea4c07c1842cedb099049bf48328a3999090587fbe247ee089e0b8763e92
SHA1 hash: 531b60b9e73489ed2dbacf1e4d7de14717998f25
MD5 hash: 614adccaa8fb9ed3874d64b2666ae18e
humanhash: louisiana-batman-quiet-victor
File name:fakeadobeinstaller
Download: download sample
Signature DCRat
Create hunting rule
File size:2'722'629 bytes
First seen:2022-05-10 14:03:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (389 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 49152:mBqC/iXFDDfHSq3y02JU2It4Xw5bB4u3MlZwE1W9EsnV:4BgDDfHhv222V4bJ6ZwE89EsV
Threatray 28 similar samples on MalwareBazaar
TLSH T1B8C523027BC598F1E16328754D217B66A93CF9602F218DDF9F80496CDCA09C0D676BBE
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d4c896b2aa8ad0a2 (1 x DCRat)
Reporter struppigel
Tags:DCRat exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
245
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
aa107f5e13a95804d5175acac905b539a676f71f582e5ca512dea9f8382f294e
Verdict:
Malicious activity
Analysis date:
2022-05-10 09:08:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/42f3839b-40b1-41c8-a92c-24f9cab76e59

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/269437/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.48939017.23538.17037.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a window
Searching for the window
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/17000/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm greyware overlay packed setupapi.dll shdocvw.dll shell32.dll update.exe
Link:
https://www.filescan.io/uploads/627a70dab119a5f609b78cfe/reports/1df327ec-d86a-4022-ad7a-90ce6b9cbce3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/77a3a1c5-3d55-4abb-9a0f-ff97ae84616f
Result
Threat name:
DCRat, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/991020
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected DCRat
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 623512 Sample: fakeadobeinstaller Startdate: 10/05/2022 Architecture: WINDOWS Score: 100 57 Snort IDS alert for network traffic 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 Antivirus / Scanner detection for submitted sample 2->61 63 4 other signatures 2->63 9 fakeadobeinstaller.exe 10 2->9         started        process3 file4 43 C:\Users\user\AppData\Local\...\crypt.exe, PE32 9->43 dropped 45 C:\Users\user\AppData\Local\...\setup.exe, PE32 9->45 dropped 12 crypt.exe 1 9->12         started        15 setup.exe 1 11 9->15         started        process5 signatures6 81 Antivirus detection for dropped file 12->81 83 Multi AV Scanner detection for dropped file 12->83 85 Contains functionality to inject code into remote processes 12->85 87 3 other signatures 12->87 17 RegSvcs.exe 15 6 12->17         started        22 conhost.exe 12->22         started        process7 dnsIp8 47 45.14.15.235, 49758, 49759, 80 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Netherlands 17->47 39 8bfe65513ae6e6a1af...5fe37c9eec15df8.exe, PE32 17->39 dropped 41 80754af91bfb6d1073...fe0a474ce868509.exe, PE32 17->41 dropped 65 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->65 67 May check the online IP address of the machine 17->67 69 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 17->69 24 80754af91bfb6d1073585b046fe0a474ce868509.exe 1 17->24         started        27 8bfe65513ae6e6a1af42c06d65fe37c9eec15df8.exe 1 17->27         started        file9 signatures10 process11 signatures12 71 Antivirus detection for dropped file 24->71 73 Multi AV Scanner detection for dropped file 24->73 75 Writes to foreign memory regions 24->75 29 RegSvcs.exe 3 24->29         started        33 conhost.exe 24->33         started        77 Allocates memory in foreign processes 27->77 79 Injects a PE file into a foreign processes 27->79 35 RegSvcs.exe 2 27->35         started        37 conhost.exe 27->37         started        process13 dnsIp14 49 193.106.191.131, 49769, 80 BOSPOR-ASRU Russian Federation 29->49 51 api.ip.sb 29->51 89 Tries to harvest and steal browser information (history, passwords, etc) 29->89 91 Tries to steal Crypto Currency Wallets 29->91 53 ip-api.com 208.95.112.1, 49764, 80 TUT-ASUS United States 35->53 55 192.168.2.1 unknown unknown 35->55 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aa107f5e13a95804d5175acac905b539a676f71f582e5ca512dea9f8382f294e/
Threat name:
Win32.Trojan.Bingoml
Create hunting rule
Status:
Malicious
First seen:
2022-04-27 16:06:38 UTC
File Type:
PE (Exe)
Extracted files:
100
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=viih6xqtvfmajvixllfmsbnvhgthn5y7laxfzjis32u7qobpffha._file
Verdict:
malicious
Similar samples:
12a627ac9cf1ef6cc70c07468d2744188ba798ce8f1597de513d6d87d0e38f33
DCRat
3b4357ccbe5c7ec75510c453b4b191cf5f076babbf645938d4584ba9bc532e19
DCRat
731adf2e11160b6cf67dc393dfd47d89f9e80b74e8754050a53b6ca51323517d
DCRat
b6a0cc1e5488c0c9f1429d1744f8c2f81f7dce4229b8322fbdad043cd9084b1f
DCRat
deceeec4d99e6b4b70de57d6ee732b1f70e6cbb9ea27d0bb7304fd51b1ca0b2d
DCRat
e1c6d4fa79af1e7487d0238e04b466a1bd697f4250cd9e6dfbb449636a360634
DCRat
+ 18 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220510-rc9atsbhfn/
Behaviour
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
b488be07b518dd1574d56fde0fb27c21ee241eb5c1acb5b99f4edc79f8963a19
MD5 hash:
a2ae64aed2d1a83f2501fd0b534c99e1
SHA1 hash:
e7f9db87d1742e8831b2365c0636cba9ad3d041f
Link:
https://www.unpac.me/results/a2710bcf-0773-4653-887b-62f16476cbb4/
SH256 hash:
aa107f5e13a95804d5175acac905b539a676f71f582e5ca512dea9f8382f294e
MD5 hash:
614adccaa8fb9ed3874d64b2666ae18e
SHA1 hash:
531b60b9e73489ed2dbacf1e4d7de14717998f25
Link:
https://www.unpac.me/results/a2710bcf-0773-4653-887b-62f16476cbb4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aa107f5e13a95804d5175acac905b539a676f71f582e5ca512dea9f8382f294e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/269437/

Comments