MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9d985c35d041452d6d60a597c7aa232d991263dfc0178ab680dcbc822b22cb8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9d985c35d041452d6d60a597c7aa232d991263dfc0178ab680dcbc822b22cb8
SHA3-384 hash: 2a1dce05e64699312f234b6b1059b0ebabf65facd282ef932b13f02d500955304eb069730d69961c7a62e14fbf163298
SHA1 hash: 43df9e7b27e87569f1eba3852f7cf2c0e0cf1702
MD5 hash: 328a0fd461b50ffdc0b98c95d7c7db97
humanhash: lima-sierra-louisiana-illinois
File name:64thService.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:12'282'304 bytes
First seen:2025-08-04 11:11:58 UTC
Last seen:2025-08-05 00:16:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 42e4a5b83d0b4203db79cdd1f9d4b9b7 (1 x DCRat)
ssdeep 196608:yml7+ZkdtDS4xCnFMlz6azBTb9B5mvVs8s/gwlgBt1Spifq:ym0670Md6IBM9N0iC
TLSH T165C623DA0AE956F0C0D30720658A439E3482A69C45FC4D2D3DD06C479B5DEBE258EFBB
TrID 56.5% (.EXE) Win64 Executable (generic) (10522/11/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter burger
Tags:DCRat exe signed

Code Signing Certificate

Organisation:Winamp SA
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2022-06-15T00:00:00Z
Valid to:2024-06-12T23:59:59Z
Serial number: 08d4bf5a529c725997e0f6c526495d2f
Intelligence: 45 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: db796af1ce42a1f71907fc7f6c06313f29fda38a2059dadfb09bf21943338286
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
55
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
64thService.exe
Verdict:
Malicious activity
Analysis date:
2025-08-04 11:00:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b2a57148-0caf-47d2-8b22-5f3337bf3f92

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/18769/
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.65491116.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689092db0b4775fb213608eb
Tags:
malware
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
Connection attempt
Sending an HTTP GET request
Creating a file in the system32 directory
Creating a process from a recently created file
Сreating synchronization primitives
Creating a window
Using the Windows Management Instrumentation requests
DNS request
Sending a custom TCP request
Creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
expired-cert obfuscated packed packed signed vmprotect
Link:
https://www.filescan.io/uploads/689095a673b8ef6f4afda7cd/reports/31771f62-7508-4916-a509-f73bedf2cb38/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/f9d985c35d041452d6d60a597c7aa232d991263dfc0178ab680dcbc822b22cb8
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/898ad228-f6f6-43e0-abe6-caf88850c651
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1749779
Signature
Adds a directory exclusion to Windows Defender
Detected potential unwanted application
Drops executables to the windows directory (C:\Windows) and starts them
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Uses known network protocols on non-standard ports
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1749779 Sample: 64thService.exe Startdate: 04/08/2025 Architecture: WINDOWS Score: 100 27 prod.keyauth.com 2->27 29 64thservice.site 2->29 35 Suricata IDS alerts for network traffic 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 6 other signatures 2->41 8 64thService.exe 9 2->8         started        signatures3 process4 dnsIp5 31 99.237.150.124, 49694, 5501 ROGERS-COMMUNICATIONSCA Canada 8->31 25 C:\Windows\System32\jxsdnzfn.exe, PE32+ 8->25 dropped 43 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->43 45 Suspicious powershell command line found 8->45 47 Drops executables to the windows directory (C:\Windows) and starts them 8->47 49 2 other signatures 8->49 13 jxsdnzfn.exe 14 8 8->13         started        17 powershell.exe 23 8->17         started        19 conhost.exe 8->19         started        file6 signatures7 process8 dnsIp9 33 prod.keyauth.com 104.21.16.1 CLOUDFLARENETUS United States 13->33 51 Multi AV Scanner detection for dropped file 13->51 53 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 13->53 55 Found direct / indirect Syscall (likely to bypass EDR) 13->55 57 Tries to detect sandboxes / dynamic malware analysis system (registry check) 13->57 59 Loading BitLocker PowerShell Module 17->59 21 conhost.exe 17->21         started        23 WmiPrvSE.exe 17->23         started        signatures10 process11
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f9d985c35d041452d6d60a597c7aa232d991263dfc0178ab680dcbc822b22cb8
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Executable PE (Portable Executable) Win 64 Exe x64
Link:
https://app.malva.re/file/328a0fd461b50ffdc0b98c95d7c7db97
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f9d985c35d041452d6d60a597c7aa232d991263dfc0178ab680dcbc822b22cb8/
Verdict:
Malicious
Threat:
Trojan.Win32.Snojan
Link:
https://tip.neiki.dev/file/f9d985c35d041452d6d60a597c7aa232d991263dfc0178ab680dcbc822b22cb8
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-08-04 11:12:33 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7hmylq25aqkffvwwbjmxy6vcglmzcjr57qaxrk3ibxf4qivsfs4a._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/250804-na4e1syzcx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
ConfuserEx .NET packer
Drops file in System32 directory
Checks computer location settings
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Verdict:
Malicious
Tags:
JS_Nemucod_M_gen JS_Nemucod
YARA:
n/a
Link:
https://app.threat.zone/submission/72c6ca41-56cb-4ee3-aa95-4ca92edfdc40
Unpacked files
SH256 hash:
f9d985c35d041452d6d60a597c7aa232d991263dfc0178ab680dcbc822b22cb8
MD5 hash:
328a0fd461b50ffdc0b98c95d7c7db97
SHA1 hash:
43df9e7b27e87569f1eba3852f7cf2c0e0cf1702
Link:
https://www.unpac.me/results/f432e095-da0d-4d6d-b3cf-29fcd14a4765/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f9d985c35d04/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/f9d985c35d041452d6d60a597c7aa232d991263dfc0178ab680dcbc822b22cb8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Generic_MalCert_65514fe0
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe f9d985c35d041452d6d60a597c7aa232d991263dfc0178ab680dcbc822b22cb8

(this sample)

DCRat

Executable exe 31ed9da35b7d67a03adede508830880b3af7d04207ca899752848fd2d1ae6718

DCRat

Executable exe 4e02bef56cb4ed575d943e40a1137de56db6875d95e907b7479365b6b69dd2ab

DCRat

Executable exe 56dd62ecb6e2c59e83c78b61c4a5454502825405039317c8fd9b89412c14c850

  
Dropping
SHA256 56dd62ecb6e2c59e83c78b61c4a5454502825405039317c8fd9b89412c14c850
  
Dropping
MD5 035e1cd44e1d006a0dc8d5eb7d79a54d
Cape
Cape
https://www.capesandbox.com/analysis/18769/
  
URLhaus
https://urlhaus.abuse.ch/url/3596158/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::GetTokenInformation
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
WIN32_PROCESS_APICan Create Process and ThreadsWININET.dll::InternetCloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::SetConsoleScreenBufferSize

Comments