MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e827a29e027188b13cb4ef36747d457303ad1f28e6b50b6850e12b91ded7734a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e827a29e027188b13cb4ef36747d457303ad1f28e6b50b6850e12b91ded7734a
SHA3-384 hash: 551302311b10db326264f0ad62b703befc077e5657d66a882bbbc5cdbef9dad30606d660c972f75795d1a733e6d06e0f
SHA1 hash: 2898453ff8d5e80d8fad3eda437beed202502e0b
MD5 hash: 76a56d13f997225e4c4610495caca862
humanhash: river-jupiter-oven-eight
File name:76a56d13f997225e4c4610495caca862.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:207'360 bytes
First seen:2022-03-13 17:55:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:yeGwgEes9WoJGCsgUBYONI6q8pfc6X4lIbzSYpxQ:yJw19WEGCsgaYONIf8pf54lIbzSY/Q
TLSH T152145C3439FA5019F173EF7A9BE8759ADAAFB3633B02945D105203870B13A81DED153A
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
78.61.76.162:2574

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
78.61.76.162:2574 https://threatfox.abuse.ch/ioc/395022/

Intelligence

File Origin
# of uploads :
1
# of downloads :
211
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/249903/
Detection(s):
Win.Packed.Pwsx-9918173-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process from a recently created file
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed redline replace.exe
Link:
https://www.filescan.io/uploads/622e3036b94fb38cb47299e5/reports/7488e983-976d-404b-a8dd-e39166456204/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9a494aac-f763-4a91-b480-0789b191d942
Result
Threat name:
AsyncRAT RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/955652
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: File Created with System Process Name
Sigma detected: Schedule system process
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: System File Execution Location Anomaly
Suspicious powershell command line found
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AsyncRAT
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 588133 Sample: H9c7Tcdkf8.exe Startdate: 13/03/2022 Architecture: WINDOWS Score: 100 71 xbaxis.ddns.net 2->71 81 Multi AV Scanner detection for domain / URL 2->81 83 Found malware configuration 2->83 85 Malicious sample detected (through community Yara rule) 2->85 87 16 other signatures 2->87 14 H9c7Tcdkf8.exe 3 2->14         started        18 RuntimeBroker.exe 2 2->18         started        signatures3 process4 file5 69 C:\Users\user\AppData\...\H9c7Tcdkf8.exe.log, ASCII 14->69 dropped 101 Injects a PE file into a foreign processes 14->101 20 H9c7Tcdkf8.exe 6 14->20         started        103 Antivirus detection for dropped file 18->103 105 Multi AV Scanner detection for dropped file 18->105 107 Machine Learning detection for dropped file 18->107 23 RuntimeBroker.exe 2 18->23         started        25 RuntimeBroker.exe 18->25         started        signatures6 process7 file8 63 C:\Users\user\AppData\...\RuntimeBroker.exe, PE32 20->63 dropped 65 C:\Users\user\AppData\...\tmp8FB6.tmp.bat, DOS 20->65 dropped 27 cmd.exe 1 20->27         started        29 cmd.exe 1 20->29         started        process9 signatures10 32 RuntimeBroker.exe 3 27->32         started        35 conhost.exe 27->35         started        37 timeout.exe 1 27->37         started        95 Suspicious powershell command line found 29->95 97 Bypasses PowerShell execution policy 29->97 99 Uses schtasks.exe or at.exe to add and modify task schedules 29->99 39 conhost.exe 29->39         started        41 schtasks.exe 1 29->41         started        process11 signatures12 79 Injects a PE file into a foreign processes 32->79 43 RuntimeBroker.exe 18 4 32->43         started        process13 dnsIp14 73 pastebin.com 104.23.99.190, 443, 49769 CLOUDFLARENETUS United States 43->73 75 6.tcp.ngrok.io 3.140.223.7, 15838, 49770, 49773 AMAZON-02US United States 43->75 77 192.168.2.1, 49768 unknown unknown 43->77 67 C:\Users\user\AppData\Local\...\Sickleman.exe, PE32 43->67 dropped 47 cmd.exe 43->47         started        50 RuntimeBroker.exe 2 43->50         started        file15 process16 signatures17 109 Suspicious powershell command line found 47->109 52 powershell.exe 47->52         started        54 conhost.exe 47->54         started        process18 process19 56 Sickleman.exe 52->56         started        signatures20 89 Antivirus detection for dropped file 56->89 91 Machine Learning detection for dropped file 56->91 93 Injects a PE file into a foreign processes 56->93 59 Sickleman.exe 56->59         started        61 Sickleman.exe 56->61         started        process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e827a29e027188b13cb4ef36747d457303ad1f28e6b50b6850e12b91ded7734a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-09 02:23:07 UTC
File Type:
PE (.Net Exe)
AV detection:
30 of 42 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5at2fhqcogelcpfu543hi7kfomb22hzi422qw2cq4evzdxwxonfa._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:redline botnet:cheat botnet:geras infostealer rat
Link:
https://tria.ge/reports/220313-wlbs5sbafl/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Async RAT payload
AsyncRat
RedLine
RedLine Payload
Malware Config
C2 Extraction:
null:null
xbaxis.ddns.net:2574
Unpacked files
SH256 hash:
984fa65ffa358f45153f85de61824279e29a834c5c863faaf7e4ea358f49727f
MD5 hash:
55ea6a3aee9484e96dc6532e2b12542f
SHA1 hash:
cba48d7196ab50355865c2517b46ebb8d9107930
Link:
https://www.unpac.me/results/b822b538-2ea1-4d3a-b1c6-b7919b9528ea/
SH256 hash:
e827a29e027188b13cb4ef36747d457303ad1f28e6b50b6850e12b91ded7734a
MD5 hash:
76a56d13f997225e4c4610495caca862
SHA1 hash:
2898453ff8d5e80d8fad3eda437beed202502e0b
Link:
https://www.unpac.me/results/b822b538-2ea1-4d3a-b1c6-b7919b9528ea/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e827a29e027188b13cb4ef36747d457303ad1f28e6b50b6850e12b91ded7734a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_DcRatBy
Create hunting rule
Author:ditekSHen
Description:Detects executables containing the string DcRatBy
Rule name:INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
Author:ditekSHen
Description:Detects executables attemping to enumerate video devices using WMI
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_AsnycRAT
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine_a
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_bin
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Redline_Stealer_10032022
Create hunting rule
Description:Detects RedLine Stealer
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/249903/

Comments