MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e68a8a2f89159710896291473b1f51b16968d9066bb621a43a858ef4e0c7291a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e68a8a2f89159710896291473b1f51b16968d9066bb621a43a858ef4e0c7291a
SHA3-384 hash: 06ce42337cc5eafcb29c584d1c6abb2258374dacaafc53d302eaf4b35a71b032ec70bc21d1310529b451459914295456
SHA1 hash: ea2e7cf1f27e33dfaa5866653da398b3efaadea3
MD5 hash: 7862b63c418789257f399d079d011549
humanhash: spring-wolfram-massachusetts-speaker
File name:7862b63c418789257f399d079d011549.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:559'104 bytes
First seen:2023-02-26 06:20:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 12288:TMrJy90NBJ2f3wL+Da+8lKQ/4grkA2fqr+XmVX2FQ:eyWBJ23wLyajlzPrCCr+Xq
Threatray 4'063 similar samples on MalwareBazaar
TLSH T145C4020BE7E88022F4F567745DF303C31635BD515A3882AB2B8FAD5D18726B4A63136B
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://haivo.co.zw/admin/Linerequestgeosql.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
7862b63c418789257f399d079d011549.exe
Verdict:
Malicious activity
Analysis date:
2023-02-26 06:21:41 UTC
Tags:
trojan amadey rat redline loader backdoor dcrat stealer
Link:
https://app.any.run/tasks/1c26aa09-36c2-48b0-bb5f-2c465107580d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/369759/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

Win.Packed.Disabler-9987080-0
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Adding an access-denied ACE
Creating a window
Running batch commands
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
advpack.dll amadey CAB comodo greyware installer packed redline rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/63fafa5081c7f31327fa0a5b/reports/c66b4e8a-4945-4e97-ba3f-0b25d2f595be/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e68a8a2f89159710896291473b1f51b16968d9066bb621a43a858ef4e0c7291a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/695915c8-536f-45ca-959f-0c6cec83c487
Result
Threat name:
Amadey, DCRat, RedLine, Xmrig
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1182509
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executable to a common third party application directory
Drops PE files to the user root directory
Drops PE files with benign system names
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected DCRat
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 815340 Sample: GSpNG3g7y2.exe Startdate: 26/02/2023 Architecture: WINDOWS Score: 100 166 xiaoxiaojue.duckdns.org 2->166 192 Snort IDS alert for network traffic 2->192 194 Malicious sample detected (through community Yara rule) 2->194 196 Antivirus detection for URL or domain 2->196 198 15 other signatures 2->198 14 GSpNG3g7y2.exe 1 4 2->14         started        17 lampa.exe 2->17         started        19 lampa.exe 2->19         started        21 9 other processes 2->21 signatures3 process4 file5 140 C:\Users\user\AppData\Local\...\tYm20Pa.exe, PE32 14->140 dropped 142 C:\Users\user\AppData\Local\...\ckk80.exe, PE32 14->142 dropped 23 ckk80.exe 3 14->23         started        27 tYm20Pa.exe 2 14->27         started        144 C:\Users\user\AppData\Local\...\nZX44ba55.exe, PE32 17->144 dropped 146 C:\Users\user\AppData\Local\...\eFm17oN72.exe, PE32 17->146 dropped 30 eFm17oN72.exe 17->30         started        148 C:\Users\user\AppData\Local\...\nZX44ba55.exe, PE32 19->148 dropped 150 C:\Users\user\AppData\Local\...\eFm17oN72.exe, PE32 19->150 dropped process6 dnsIp7 132 C:\Users\user\AppData\Local\...\mnolyk.exe, PE32 23->132 dropped 220 Multi AV Scanner detection for dropped file 23->220 222 Contains functionality to inject code into remote processes 23->222 32 mnolyk.exe 1 25 23->32         started        37 conhost.exe 23->37         started        174 193.233.20.12, 4132 REDCOM-ASRedcomKhabarovskRussiaRU Russian Federation 27->174 224 Detected unpacking (changes PE section rights) 30->224 226 Detected unpacking (overwrites its own PE header) 30->226 228 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 30->228 230 3 other signatures 30->230 file8 signatures9 process10 dnsIp11 152 62.204.41.5, 49695, 49696, 49698 TNNET-ASTNNetOyMainnetworkFI United Kingdom 32->152 154 62.204.41.245, 49699, 80 TNNET-ASTNNetOyMainnetworkFI United Kingdom 32->154 156 2 other IPs or domains 32->156 110 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 32->110 dropped 112 C:\Users\user\AppData\Local\...\lebro.exe, PE32 32->112 dropped 114 C:\Users\user\AppData\Local\...\lampa.exe, PE32 32->114 dropped 116 3 other malicious files 32->116 dropped 184 Multi AV Scanner detection for dropped file 32->184 186 Creates an undocumented autostart registry key 32->186 188 Creates multiple autostart registry keys 32->188 190 Uses schtasks.exe or at.exe to add and modify task schedules 32->190 39 lebro.exe 32->39         started        43 lampa.exe 1 4 32->43         started        45 cmd.exe 1 32->45         started        47 2 other processes 32->47 file12 signatures13 process14 file15 134 C:\Users\user\AppData\Local\...\nbveek.exe, PE32 39->134 dropped 232 Multi AV Scanner detection for dropped file 39->232 234 Machine Learning detection for dropped file 39->234 49 nbveek.exe 39->49         started        136 C:\Users\user\AppData\Local\...\nZX44ba55.exe, PE32 43->136 dropped 138 C:\Users\user\AppData\Local\...\eFm17oN72.exe, PE32 43->138 dropped 236 Antivirus detection for dropped file 43->236 54 eFm17oN72.exe 43->54         started        56 cacls.exe 1 45->56         started        58 conhost.exe 45->58         started        60 cmd.exe 1 45->60         started        64 4 other processes 45->64 62 conhost.exe 47->62         started        signatures16 process17 dnsIp18 158 62.204.41.88, 49709, 49710, 49712 TNNET-ASTNNetOyMainnetworkFI United Kingdom 49->158 160 45.15.159.15, 49711, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 49->160 164 2 other IPs or domains 49->164 118 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 49->118 dropped 120 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 49->120 dropped 122 C:\Users\user\AppData\Local\Temp\...\rc.exe, PE32 49->122 dropped 124 5 other malicious files 49->124 dropped 200 Multi AV Scanner detection for dropped file 49->200 66 rc.exe 49->66         started        69 Hedtgoupb.exe 49->69         started        73 rundll32.exe 49->73         started        75 3 other processes 49->75 162 193.233.20.23, 4124, 49863, 49922 REDCOM-ASRedcomKhabarovskRussiaRU Russian Federation 54->162 202 Detected unpacking (changes PE section rights) 54->202 204 Detected unpacking (overwrites its own PE header) 54->204 206 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 54->206 208 Tries to steal Crypto Currency Wallets 54->208 210 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 56->210 file19 signatures20 process21 dnsIp22 126 C:\Hyperfontdll\msdriver.exe, PE32 66->126 dropped 128 C:\Hyperfontdll\AnbVBqAXw9.vbe, data 66->128 dropped 77 wscript.exe 66->77         started        168 transfer.sh 144.76.136.153, 443, 50376, 50443 HETZNER-ASDE Germany 69->168 170 xiaoxiaojue.duckdns.org 212.87.204.245, 50338, 50372, 50379 GEMENIIGEMENIINETWORKRO Germany 69->170 172 192.168.2.1 unknown unknown 69->172 130 C:\Users\user\AppData\Roaming\Hedtgoupb.exe, PE32+ 69->130 dropped 212 Multi AV Scanner detection for dropped file 69->212 214 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 69->214 216 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 69->216 218 4 other signatures 69->218 79 rundll32.exe 73->79         started        82 conhost.exe 75->82         started        84 conhost.exe 75->84         started        86 cmd.exe 75->86         started        88 5 other processes 75->88 file23 signatures24 process25 signatures26 90 cmd.exe 77->90         started        238 System process connects to network (likely due to code injection or exploit) 79->238 240 Tries to steal Instant Messenger accounts or passwords 79->240 242 Tries to harvest and steal ftp login credentials 79->242 244 Tries to harvest and steal browser information (history, passwords, etc) 79->244 92 tar.exe 79->92         started        94 svchost.exe 79->94         started        process27 process28 96 msdriver.exe 90->96         started        100 conhost.exe 90->100         started        file29 102 C:\Windows\...\QRJmnztDljRwAalVQB.exe, PE32 96->102 dropped 104 C:\Users\Default\mnolyk.exe, PE32 96->104 dropped 106 C:\Users\Default\AppData\...\lampa.exe, PE32 96->106 dropped 108 16 other malicious files 96->108 dropped 176 Antivirus detection for dropped file 96->176 178 Multi AV Scanner detection for dropped file 96->178 180 Machine Learning detection for dropped file 96->180 182 4 other signatures 96->182 signatures30
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e68a8a2f89159710896291473b1f51b16968d9066bb621a43a858ef4e0c7291a/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-02-11 09:18:13 UTC
File Type:
PE (Exe)
Extracted files:
138
AV detection:
20 of 25 (80.00%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=42fiul4jcwlrbclcsfdtwh2rwfuwrwigno3cdjb2qwhpjyghfena._file
Verdict:
malicious
Similar samples:
1498389b39bb5db52d583bc40f9e021934d53bbf8b363809ca0d4e58f9ba30ef
DCRat
2d1923dc24bdcc2cdadb349e63f095a78c478d6c07a75220f958f3fc2bcb52a4
DCRat
71d34712d38735b8b41b844083742a3238bf592967fc4eb1f566dcbbba2505fd
DCRat
72007bc3e32c3bcd2691352450d78cf8f6df5b58446b551ec93c681aa4286d7b
DCRat
b28761dcebdb2388cbe68dde67065b717b2e9bc1e062ff1c68780ca5faa20e73
DCRat
ebd46441b3e3a1c1e64d6b0952dacb9bcdd896bb95c8a62bc3a4028a58b1573c
DCRat
ebdba7153adbe3569ff2455cfeaf3abf239724d557ad7b1871086f1b3c67157f
DCRat
ed47a3a40af272231b96be97c704ac7a4627ff215e356b991aab99782ee3773f
DCRat
fbba3230c8bf66a3117bcc4140e960b59a2d66e84b6bc7e53419fd11144a9a3d
DCRat
fcc8a1cd9b32433a8735fae44718bc36b2ea00b96df212c9d63186031d7af10d
DCRat
+ 4'053 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:dcrat family:redline botnet:frukt botnet:rodik botnet:romik discovery infostealer persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/230226-g4b5asga93/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
DCRat payload
Amadey
DcRat
Process spawned unexpected child process
RedLine
RedLine payload
Malware Config
C2 Extraction:
62.204.41.5/Bu58Ngs/index.php
62.204.41.88/9vdVVVjsw/index.php
193.233.20.12:4132
193.233.20.23:4124
Unpacked files
SH256 hash:
6025e99b61cf27e4199afba2bbcaff306e1c73eb08d7706210b26d8e785f8a38
MD5 hash:
5a5d7c502c8de78f62818cd74dc3fad9
SHA1 hash:
f6a32259e84173fa3e674287fed9f7682d91ed00
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/e8ceea33-2f0b-44d8-b5dc-1b1dba5554d5/
Parent samples :
2bfb0086fa161f5ee447cd96ffe25a1cee254683a927f887a2651a4a7847ef91
4e6f291cfe31f835aa30b7df5078c5ecd6cd758104b8a8a8e40cbd7257ed6ba5
b8fdb367212ce7f5bbf5347b559a7ebffb5094679eb716b136f63d1fcd5f4fe7
30dc59957be5e5e5ae63c4d07121749dc3300e9af19a842a4cd13d5133bd6b59
f708f025665d4d8181d7a9538ec24ced4f59e63a6a2056be2b4348c941455a77
2939c2394ceba4ec6d09b39765f26de7b9b2e768ffe5426da4f1833f33b015ee
260e65b2690949126f04ef058e26e9849b5883e17b7ff0c0e66fc9c370d980be
dfbca902423ad0c0b53e3abb0cb4e57b3ee266cb4eaec98b9baf4b107d19ccd6
0832ff937c6402ec6b252692df3f45abbe08291b1696f243c99f5aef93270d88
dca8f3bedff4d14276ff3621f6b171cac6cf4e4c3abe36beca67c6dee2ed03d6
dca38093bc51d165acf5754982d66fe28509c85d65492d8428a240e1f85df435
13d54f839060b601a0c89beefd65599bd07fd37cee1e302c43bfb55c281fa23c
93ae529d7d511158aeb2ba42f7ac9e8cada410d03015bce3de712a56367aac7a
0423f6894af5cdff8c3ea348370c3c9e950fa161b6aa7ea78ae43020d6ad6458
1516fc2758b409c7d53002665c888d62ac481d89679f4738c7d05cc672de319e
b39502990b9ff0db6a020260147dac82e89ca3046f526ec81f3a6af1f241e78a
e68a8a2f89159710896291473b1f51b16968d9066bb621a43a858ef4e0c7291a
a2c0ff0add9a29e1b1af25b0faf553de9098a45b04ad98b51c2c6be7e74b6c9b
SH256 hash:
75f41983d7da68c378b64f8e5633bde393f9c550469ae5bd4da6d64d6674286b
MD5 hash:
285e4cae921c512fec71492eaafc27c4
SHA1 hash:
7a1022b0ec66c57a216bd0f842906917e7851130
Link:
https://www.unpac.me/results/e8ceea33-2f0b-44d8-b5dc-1b1dba5554d5/
SH256 hash:
50f3bb777aae6492f16cae37defbde1ad701744d09ce494cb81411ab99843ae8
MD5 hash:
3c7daf17f32e25bdfe12191773e5aa0a
SHA1 hash:
750c7926225355ad815cd3325f7abf3d369f9cac
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/e8ceea33-2f0b-44d8-b5dc-1b1dba5554d5/
Parent samples :
2939c2394ceba4ec6d09b39765f26de7b9b2e768ffe5426da4f1833f33b015ee
dfbca902423ad0c0b53e3abb0cb4e57b3ee266cb4eaec98b9baf4b107d19ccd6
0832ff937c6402ec6b252692df3f45abbe08291b1696f243c99f5aef93270d88
dca38093bc51d165acf5754982d66fe28509c85d65492d8428a240e1f85df435
0423f6894af5cdff8c3ea348370c3c9e950fa161b6aa7ea78ae43020d6ad6458
1516fc2758b409c7d53002665c888d62ac481d89679f4738c7d05cc672de319e
b39502990b9ff0db6a020260147dac82e89ca3046f526ec81f3a6af1f241e78a
e68a8a2f89159710896291473b1f51b16968d9066bb621a43a858ef4e0c7291a
SH256 hash:
026fe26cda6bcfb93533c3cc75e564431f13d2e32e4ee5d34c3bed13bb5035a5
MD5 hash:
6402b7f57f8fa04daae7fa312bcc6def
SHA1 hash:
7f49a72f083b594ef25511bbf2ac294372e9e6fc
Link:
https://www.unpac.me/results/e8ceea33-2f0b-44d8-b5dc-1b1dba5554d5/
SH256 hash:
c73864047adc9efa17de0467168fa22d50edd5d1bda347314183073098d34ce5
MD5 hash:
1d83ae4b0b827a40e48c554410260ce0
SHA1 hash:
5235dcd38551d92751ea29be3888f5146093352a
Link:
https://www.unpac.me/results/e8ceea33-2f0b-44d8-b5dc-1b1dba5554d5/
SH256 hash:
e68a8a2f89159710896291473b1f51b16968d9066bb621a43a858ef4e0c7291a
MD5 hash:
7862b63c418789257f399d079d011549
SHA1 hash:
ea2e7cf1f27e33dfaa5866653da398b3efaadea3
Link:
https://www.unpac.me/results/e8ceea33-2f0b-44d8-b5dc-1b1dba5554d5/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e68a8a2f8915/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e68a8a2f89159710896291473b1f51b16968d9066bb621a43a858ef4e0c7291a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/369759/

Comments