MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1cdb6b3145e1b6d65ef1d8f5864484678e0436b34d8c8e674471332c11b099e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d1cdb6b3145e1b6d65ef1d8f5864484678e0436b34d8c8e674471332c11b099e
SHA3-384 hash: 7815fe2bcce3f6ff90f23e3281939b0dcc3d4ce1d7dd841ec03976f9373aee22936bf4cb36d744b1c92c6a8d250c7c14
SHA1 hash: 6643c62620bc4c0f2632a24e8334bed33ed0ee81
MD5 hash: 7850158ce61fb1c568aa47f007a791af
humanhash: charlie-colorado-king-hotel
File name:D1CDB6B3145E1B6D65EF1D8F5864484678E0436B34D8C.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:461'824 bytes
First seen:2022-11-01 10:10:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f326f88ca83c9aacaa44acfb8884f1d4 (8 x RedLineStealer, 4 x DCRat, 2 x CoinMiner)
ssdeep 6144:K5oaqJhJMHW69B9VjMdxPedN9ug0/9TBbPJFGeuVLFG8uZGM4+w6ykksP7nF+bq6:K5oaqjp/9T5h+VLv+hKsP7Abl0h7a1h
Threatray 1'818 similar samples on MalwareBazaar
TLSH T1E6A4F157B2E51189DAB182FAC9920B46E77170720B15A3CF5B7463B71B2B8C99F3C390
TrID 43.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
27.5% (.EXE) Win64 Executable (generic) (10523/12/4)
13.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) OS/2 Executable (generic) (2029/13)
5.2% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 92e0b496a6cada72 (12 x RedLineStealer, 7 x RaccoonStealer, 5 x BlankGrabber)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://62.109.24.147/frameprogramCamhtop/supportdemo/htop/log/rulerecordhtopCpu/localcutlog/datamobilerulehtop/Serverscriptcutgenerator/Waranti/PrefPrefrecord/support/Eternalflower.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
430
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
D1CDB6B3145E1B6D65EF1D8F5864484678E0436B34D8C.exe
Verdict:
No threats detected
Analysis date:
2022-11-01 10:11:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6801f7fa-9416-4207-8642-d05877a7d641

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/326778/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.33822938.14445.490.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process from a recently created file
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Launching a process
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/47224/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/6360f0b7a5db8d309cbc2ac0/reports/fdbc0a39-b8e1-4894-b5cd-21b26f3d4b8c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c76e9f6a-95ff-4eb2-b464-fe6d797ae424
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1102432
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses BatToExe to download additional code
Yara detected BatToExe compiled binary
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 735093 Sample: D1CDB6B3145E1B6D65EF1D8F586... Startdate: 01/11/2022 Architecture: WINDOWS Score: 84 31 Antivirus detection for dropped file 2->31 33 Antivirus / Scanner detection for submitted sample 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 2 other signatures 2->37 7 D1CDB6B3145E1B6D65EF1D8F5864484678E0436B34D8C.exe 9 2->7         started        process3 file4 25 C:\Users\user\AppData\Local\Temp\...\extd.exe, PE32+ 7->25 dropped 27 C:\Users\user\AppData\Local\Temp\...\84DA.bat, ASCII 7->27 dropped 10 cmd.exe 1 3 7->10         started        13 conhost.exe 7->13         started        process5 signatures6 39 Uses BatToExe to download additional code 10->39 15 extd.exe 1 10->15         started        18 extd.exe 2 10->18         started        21 extd.exe 1 10->21         started        23 extd.exe 1 10->23         started        process7 dnsIp8 41 Antivirus detection for dropped file 15->41 43 Multi AV Scanner detection for dropped file 15->43 29 cdn.discordapp.com 162.159.130.233, 443, 49698 CLOUDFLARENETUS United States 18->29 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d1cdb6b3145e1b6d65ef1d8f5864484678e0436b34d8c8e674471332c11b099e/
Threat name:
ByteCode-MSIL.Backdoor.LightStone
Create hunting rule
Status:
Malicious
First seen:
2021-07-21 23:27:00 UTC
File Type:
PE+ (Exe)
Extracted files:
4
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2hg3nmyulynw2zppdwhvqzciiz4oaq3lgtmmrztui4jtfqi3bgpa._file
Verdict:
malicious
Similar samples:
0389ffef740d3bd365f2b699ac006b478a5346a1dc2383e10fd5152771641c0b
DCRat
0757a3b97f39c1d8a6c3d94770762a3912304cfaffa0330761945acd7f236213
DCRat
0b976213f5961eb9720219d2624463ec6acc8947004710c7e9885746e2e27234
DCRat
19f71da28ebab8fe7256a657c603698ad607a7273e85d0e8b107269643cfa5dd
DCRat
65dee75f5d4f0d7e0c1065a689ebe79f67c87a4d3d9654193164128e859a0ddd
DCRat
88c642b1fa43b77487f3916dd95ac236189971475c3289c745dc45a739e6453f
DCRat
b88350726e9a1dc492b8fde7c03fdd0f5c7669b6919e1c25ddbcb8a69125c330
DCRat
ea07ac0be9b5d757b3d6eab704606fb022770451be04c729af03f3a0941d3fc8
DCRat
f98183a2ad674f8aae6ad47e7da8b48c80175148ba333f0f57b3e6eca64bfaa6
DCRat
+ 1'808 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer rat upx
Link:
https://tria.ge/reports/221101-l7x86abfan/
Behaviour
Creates scheduled task(s)
Modifies registry class
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Checks computer location settings
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
DCRat payload
DcRat
Unpacked files
SH256 hash:
d1cdb6b3145e1b6d65ef1d8f5864484678e0436b34d8c8e674471332c11b099e
MD5 hash:
7850158ce61fb1c568aa47f007a791af
SHA1 hash:
6643c62620bc4c0f2632a24e8334bed33ed0ee81
Link:
https://www.unpac.me/results/518d67eb-94fc-4551-a37b-43f0ff1440c3/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d1cdb6b3145e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.56
Link:
https://yomi.yoroi.company/submissions/d1cdb6b3145e1b6d65ef1d8f5864484678e0436b34d8c8e674471332c11b099e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/326778/

Comments