MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c691c174c042a1f23f13b420abad454bd4b843e1033119080114da0a99cfdfff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c691c174c042a1f23f13b420abad454bd4b843e1033119080114da0a99cfdfff
SHA3-384 hash: 8a91a832350ea3986d85de2677dc2a947abd751875f36632d81718f82862111aae4e457f4db03410202a8f46c9188181
SHA1 hash: 19b4ae58c609825294a66643fdb5779e04957aab
MD5 hash: 4dc6391e49046252c6effd467c679804
humanhash: diet-pizza-victor-princess
File name:9hmhx13dh.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:2'429'440 bytes
First seen:2023-01-29 16:28:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e1114fffd159fabbade3f31a9695a5e8 (1 x DCRat)
ssdeep 49152:TZM+U574kFRDQc2bUyVe/l/usb/iC+nkalNs+IIWpxIF989O3:T+7pfRPV/l/v/iC+kye+hex3
Threatray 41 similar samples on MalwareBazaar
TLSH T17EB52310B1E180B2E463157919E5DA749E7EE8600F736AFF23E91F5F0F3138096359A6
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter atomiczsec
Tags:DCRat exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
178
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
9hmhx13dh.exe
Verdict:
Malicious activity
Analysis date:
2023-01-29 16:32:57 UTC
Tags:
trojan rat backdoor dcrat stealer
Link:
https://app.any.run/tasks/2af84be1-ca4d-45d2-811e-2b03cd91caa6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DCRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/357961/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Launching a process
Сreating synchronization primitives
Creating a window
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Sending an HTTP GET request
Searching for synchronization primitives
Reading critical registry keys
Creating a file in the %temp% directory
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/63826/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
No Threat
Threat level:
  2/10
Confidence:
67%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63d69ed5905a5ac3b9091b98/reports/c5fd1224-323b-421b-88cb-55f90099258f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0fdc6d25-8d59-452e-92b4-0c17d2445839
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1161074
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected DCRat
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c691c174c042a1f23f13b420abad454bd4b843e1033119080114da0a99cfdfff/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-01-25 18:05:00 UTC
File Type:
PE (Exe)
AV detection:
26 of 39 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y2i4c5gaikq7epytwqqkxlkfjpklqq7bamyrscabctnavgop377q._file
Verdict:
malicious
Similar samples:
129e4bbbb2295d04fc9e580698fc3fdfcb0de73269ec940d217260b7c44455f2
DCRat
6fb65aaabd2d911fb31722cbd1d41399ded20e0e1dfef8907b7c9317727d398f
DCRat
7eb01483eef7246c6e62fada528aba666095174dc564187fa87fa1e5f12493d4
DCRat
8860322da9acde535927b05c46775e527b499330765d098d5d8ff8db790e6563
DCRat
9519793cddbb21c43cf4c3685062b2c80d892e033b2edf5895a54beac9bd30f2
DCRat
a88de17a29eaaaab996f32b4ddb579d5930b7d1f152bfb10018481e2b5612d70
DCRat
e34d698b7f65d8352dbe30c9ce05f9ecd9003a30b3a6a454b83ad70260c0926f
DCRat
f5c67fe00b4cbee07d5e394c87f0c6224bbd841a92151d04841f584d56e58b0c
DCRat
+ 31 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer rat
Link:
https://tria.ge/reports/230129-ty9jtsfa9v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
DCRat payload
DcRat
Unpacked files
SH256 hash:
ae825b85ed4112e3e1409649de3a2bf9e90b83f52515c7d305b6c108afddc75c
MD5 hash:
2962f4fa08c1c464c117a758ae99bfff
SHA1 hash:
30789978cdd25989195d860a5fb4ece61af6494b
Link:
https://www.unpac.me/results/3c79c442-d651-4ee0-92b0-9633506d638f/
SH256 hash:
c691c174c042a1f23f13b420abad454bd4b843e1033119080114da0a99cfdfff
MD5 hash:
4dc6391e49046252c6effd467c679804
SHA1 hash:
19b4ae58c609825294a66643fdb5779e04957aab
Link:
https://www.unpac.me/results/3c79c442-d651-4ee0-92b0-9633506d638f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c691c174c042/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c691c174c042a1f23f13b420abad454bd4b843e1033119080114da0a99cfdfff

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/357961/

Comments