MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f0ff1a3573cb45775b709b1e8df418ff7adcc5b678a52a768d02933b6174ca6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DCRat

Vendor detections: 22

Intelligence 22 IOCs 1 YARA 45 File information Comments

SHA256 hash:	2f0ff1a3573cb45775b709b1e8df418ff7adcc5b678a52a768d02933b6174ca6
SHA3-384 hash:	abae591cc3c02a7bc98325518a91c3539e75fee9146bbb5de4f58e44c5f4dcbf16c3f0b0ba5cb071e78f3ff7de0dc8ec
SHA1 hash:	202b2aca2c2d9eee7dd73032432670a03d1e5c22
MD5 hash:	849955535b2314f0abb2e85248736084
humanhash:	wyoming-march-stream-utah
File name:	849955535b2314f0abb2e85248736084.exe
Download:	download sample
Signature	DCRat Create hunting rule
File size:	2'115'584 bytes
First seen:	2025-08-23 04:55:10 UTC
Last seen:	2025-08-23 09:25:10 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:V2G/nvxW3WieCQdigWxHvnSe7kpmUpJDkDy+7XRjkpnCYMZ5hXXbl:VbA3jwiN1v6DkDyQOpnCtZ5tr
TLSH	T1B6A5AF0179519A75F0551933D6BF0A2087F4B8A42AA0E727BAF93B3D1E023B37D1D6C6
TrID	63.7% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39) 17.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.3% (.EXE) InstallShield setup (43053/19/16) 2.5% (.EXE) Win64 Executable (generic) (10522/11/4) 1.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Magika	pebin
Reporter	abuse_ch
Tags:	DCRat exe RAT

abuse_ch

DCRat C2:
http://cf39442.tw1.ru/e4c710f3.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://cf39442.tw1.ru/e4c710f3.php	https://threatfox.abuse.ch/ioc/1572799/

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

dcrat

ID:

File name:

849955535b2314f0abb2e85248736084.exe

Verdict:

Malicious activity

Analysis date:

2025-08-23 04:58:40 UTC

Tags:

auto-sch dcrat rat netreactor xworm remote darkcrystal

Link:

https://app.any.run/tasks/c62867cc-bf0e-4790-9700-0b95d669169d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

R77

Link:

https://www.capesandbox.com/analysis/23115/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68a949dee9d9dbcfd96d2e85

Tags:

autorun emotet cobalt

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending an HTTP GET request

Running batch commands

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Creating a file in the Program Files subdirectories

Setting browser functions hooks

Creating a file in the %temp% directory

Creating a process from a recently created file

Launching a process

Forced system process termination

Сreating synchronization primitives

Searching for synchronization primitives

Creating a window

DNS request

Connection attempt

Searching for the window

Sending a custom TCP request

Creating a file

Unauthorized injection to a recently created process

Blocking the User Account Control

Unauthorized injection to a system process

Unauthorized injection to a browser process

Enabling autorun by creating a file

Adding an exclusion to Microsoft Defender

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context anti-debug anti-vm anti-vm asyncrat base64 cmd crypto cscript dcrat exploit explorer fingerprint fingerprint lolbin msbuild obfuscated obfuscated overlay packed prometheus r77rootkit reconnaissance schtasks stealer unsafe windows xworm

Link:

https://www.filescan.io/uploads/68a949de4a87ed796768e40d/reports/cb5a4038-8153-48d1-b5f2-282661a276a8/overview

Verdict:

Malicious

Labled as:

IL:Trojan.MSILZilla

Link:

https://www.hybrid-analysis.com/sample/2f0ff1a3573cb45775b709b1e8df418ff7adcc5b678a52a768d02933b6174ca6

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-08-09T15:25:00Z UTC

Last seen:

2025-08-09T15:25:00Z UTC

Hits:

~1000

Link:

https://opentip.kaspersky.com/2f0ff1a3573cb45775b709b1e8df418ff7adcc5b678a52a768d02933b6174ca6/results?tab=lookup

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3b99d80f-856d-4012-a6ce-162083e4f9d4

Result

Threat name:

DCRat, XWorm

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1763428

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Connects to a pastebin service (likely for C&C)

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Creates processes via WMI

Disable UAC(promptonsecuredesktop)

Disables UAC (registry)

Drops PE files to the user root directory

Drops PE files with benign system names

Found direct / indirect Syscall (likely to bypass EDR)

Found malware configuration

Hooks files or directories query functions (used to hide files and directories)

Hooks processes query functions (used to hide processes)

Hooks registry keys query functions (used to hide registry keys)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Installs new ROOT certificates

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Sigma detected: Files With System Process Name In Unsuspected Locations

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected DCRat

Yara detected XWorm

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/2f0ff1a3573cb45775b709b1e8df418ff7adcc5b678a52a768d02933b6174ca6

Verdict:

Malware

YARA:

14 match(es)

Tags:

.Net .Net Obfuscator .Net Reactor Executable Managed .NET Obfuscated PDB Path PE (Portable Executable) PE File Layout SOS: 0.82 SOS: 0.90 VBScript Encoded Win 32 Exe WScript.Shell x86

Link:

https://app.malva.re/file/849955535b2314f0abb2e85248736084

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2f0ff1a3573cb45775b709b1e8df418ff7adcc5b678a52a768d02933b6174ca6/

Verdict:

Malicious

Threat:

Family.DCRAT

Link:

https://tip.neiki.dev/file/2f0ff1a3573cb45775b709b1e8df418ff7adcc5b678a52a768d02933b6174ca6

Threat name:

ByteCode-MSIL.Trojan.Heracles

Status:

Malicious

First seen:

2025-08-10 22:27:08 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 24 (100.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=f4h7di2xhs2fo5nxbgy6rx2br7323tc3m6fffj3i2authnqxjsta._file

Verdict:

malicious

Label(s):

unc_loader_051

r77rootkit

Similar samples:

error

DCRat

Result

Malware family:

xworm

Score:

10/10

Tags:

family:dcrat family:xworm bootkit defense_evasion discovery execution infostealer persistence rat trojan

Link:

https://tria.ge/reports/250823-fkjjla1whw/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies registry class

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System policy modification

Uses Task Scheduler COM API

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in Windows directory

Drops file in System32 directory

SmartAssembly .NET packer

Checks whether UAC is enabled

Enumerates connected drives

Writes to the Master Boot Record (MBR)

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

Indicator Removal: Clear Windows Event Logs

Command and Scripting Interpreter: PowerShell

Modifies trusted root certificate store through registry

Sets service image path in registry

DCRat payload

DcRat

Dcrat family

Detect Xworm Payload

Process spawned unexpected child process

Suspicious use of NtCreateProcessExOtherParentProcess

Suspicious use of NtCreateUserProcessOtherParentProcess

UAC bypass

Xworm

Xworm family

Verdict:

Malicious

Tags:

rat dcrat rootkit trojan Win.Trojan.Uztuby-9855059-0

YARA:

MAL_EXE_DCRat_Jul_08_2 Windows_Rootkit_R77_Be403E3C Windows_Rootkit_R77_d0367e28 MALWARE_Win_R77

Link:

https://app.threat.zone/submission/060b10ef-8aa9-4cdc-ae02-138edddb8b42

Unpacked files

SH256 hash:

2f0ff1a3573cb45775b709b1e8df418ff7adcc5b678a52a768d02933b6174ca6

MD5 hash:

849955535b2314f0abb2e85248736084

SHA1 hash:

202b2aca2c2d9eee7dd73032432670a03d1e5c22

Link:

https://www.unpac.me/results/27ed4fe0-57d7-47f8-bf3c-e0a4f3ccd3cb/

SH256 hash:

879cc20b41635709bb304e315aaa5ca4708b480a1bfc2f4935fcf2215188efb0

MD5 hash:

94f1ab3a068f83b32639579ec9c5d025

SHA1 hash:

38f3d5bc5de46feb8de093d11329766b8e2054ae

Detections:

MALWARE_Win_R77

Link:

https://www.unpac.me/results/27ed4fe0-57d7-47f8-bf3c-e0a4f3ccd3cb/

Parent samples :

3db6003aed5663530344f627592d7071efcece6ab608d114cd219d5b19f389a5
9d08e5e62b409ef1ccd05c7996eb5432e4a36f55642cb7441d153909e823f144
2aa37e753ce1273f6ee4968bec7e2381b79a85ffbd1ee3da1fe9b4c1ea3ec4cd
88bf0db97f3bf88a4b7f0aaff64cc4065cb5da6c140008e6cb22316da47428bb
e6b8af13a9832030a6e769db896510df174c3450cc1ea9beffd59d052204e6c4
2f0ff1a3573cb45775b709b1e8df418ff7adcc5b678a52a768d02933b6174ca6

SH256 hash:

ecac0c91d0825919494b420be0b3f8b8e75dd96bb59cc9fc6504fdd332ffb700

MD5 hash:

f09042a3ba866f4f7062b23e70e0f5eb

SHA1 hash:

bcb3e863b07e1bd68f7c84305ff789610ce52cdb

Detections:

MALWARE_Win_R77

Link:

https://www.unpac.me/results/27ed4fe0-57d7-47f8-bf3c-e0a4f3ccd3cb/

Parent samples :

ade5c6fc5f35fa02723f1c302d019419a7bc0d9234a4291040846c7e3515eb78
3db6003aed5663530344f627592d7071efcece6ab608d114cd219d5b19f389a5
9d08e5e62b409ef1ccd05c7996eb5432e4a36f55642cb7441d153909e823f144
2aa37e753ce1273f6ee4968bec7e2381b79a85ffbd1ee3da1fe9b4c1ea3ec4cd
88bf0db97f3bf88a4b7f0aaff64cc4065cb5da6c140008e6cb22316da47428bb
e6b8af13a9832030a6e769db896510df174c3450cc1ea9beffd59d052204e6c4
2f0ff1a3573cb45775b709b1e8df418ff7adcc5b678a52a768d02933b6174ca6

SH256 hash:

39dc98aab824b50c4c5171f784ba828aeba17aef6f195bb0af91a69e169956f5

MD5 hash:

3853d56a7f3197ef5c893c4c40a83d13

SHA1 hash:

a1dc754f11855e8059312eb8247625b253a45678

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/27ed4fe0-57d7-47f8-bf3c-e0a4f3ccd3cb/

Parent samples :

47cbb5a42c64378961f163b3ed5a6ad5ecdd65da4de10844d5b30bbd31bce890
39dc98aab824b50c4c5171f784ba828aeba17aef6f195bb0af91a69e169956f5
2f0ff1a3573cb45775b709b1e8df418ff7adcc5b678a52a768d02933b6174ca6

SH256 hash:

dfa20714b2f1dc7ac80f14e3f8a963310a5696e6450beb5ff3ad8f125a9c6590

MD5 hash:

8d9506eae43f59fcb680aab8ad001420

SHA1 hash:

5753ab6f572e96e64fd2cd5aa2d7800dc18e95ed

Detections:

win_xorist_auto

Link:

https://www.unpac.me/results/27ed4fe0-57d7-47f8-bf3c-e0a4f3ccd3cb/

Parent samples :

6ade40b71ee50ca95629aaa593bc8f48335ff0eee6c47c3a1dcaacbd9f1eaf42
1dd3edb673a05c19521b785935f8e803ec5f3104883db80f1a671182e23c4274
c849031f8576f268c802695c5c6d87a8ba88c4a7abbdd66a6f0582d06eaca41e
371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0
098a170344a4ca7efe3e0c8b48c25a64fe0570b68eb0f3032c229e81597c1fbc
ba61b838a6b159d1d8f6fbbd1c80016fe7277225d1847de9ae50d0d83b29f9f1
b27cdbd5705c56034999011911997559d5eecb66e2e0d8b8c9aa843fe05d1627
e9f868d54dc0cda5bd4e13ad4fb6c7861b339024cd28daf0dc8eb9ee69a405fe
f14e979398839caddd543261a8e9773bcd5a95d9f433e113ecdc8605cd3b2393
647194fc5716bcdebe9b20e13b3f08e7816d13530a15e8d1669f2f25ba628274
ee9e68394df17b14d2190d46257445f427bc43d4e02be9f26bf6236b17fe0052
2f0ff1a3573cb45775b709b1e8df418ff7adcc5b678a52a768d02933b6174ca6
c7f4e1aba81ad7714da4487dd279cc886b50428116b614c9ebe246d937c478f0
dd71110a6b7fb79b2949280611957646f76503f1bda866b06e74b9a74e54dc89

Malware family:

DCRat

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2f0ff1a3573c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2f0ff1a3573cb45775b709b1e8df418ff7adcc5b678a52a768d02933b6174ca6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	BAZT_B5_NOCEXInvalidStream Create hunting rule

Rule name:	botnet_plaintext_c2 Create hunting rule
Author:	cip
Description:	Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	dcrat_ Create hunting rule
Author:	Michelle Khalil
Description:	This rule detects unpacked dcrat malware samples.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__MemoryWorkingSet Create hunting rule
Author:	Fernando Mercês
Description:	Anti-debug process memory working set size check
Reference:	http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	DotNet_Reactor Create hunting rule
Author:	@bartblaze
Description:	Identifies .NET Reactor, which offers .NET code protection such as obfuscation, encryption and so on.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	Indicator_MiniDumpWriteDump Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references

Rule name:	MALWARE_Win_R77 Create hunting rule
Author:	ditekSHen
Description:	Detects r77 rootkit

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	PureCrypter Create hunting rule
Author:	@bartblaze
Description:	Identifies PureCrypter, .NET loader and obfuscator.
Reference:	https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	Runtime_Broker_Variant_1 Create hunting rule
Author:	Sn0wFr0$t
Description:	Detecting malicious Runtime Broker

Rule name:	SelfExtractingRAR Create hunting rule
Author:	Xavier Mertens
Description:	Detects an SFX archive with automatic script execution

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Suspicious_PssCaptureSnapshot_Usage Create hunting rule
Author:	Dana Behling - Just me not for personal curiosity, no company.
Description:	Detects binaries abusing PssCaptureSnapshot in combination with typical combination that indicates malicious activity.

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Windows_Rootkit_R77_be403e3c Create hunting rule
Author:	Elastic Security
Reference:	https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit

Rule name:	Windows_Rootkit_R77_d0367e28 Create hunting rule
Author:	Elastic Security
Reference:	https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/23115/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high
CHECK_TRUST_INFO	Requires Elevated Execution (level:requireAdministrator)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample