MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 418472f0b1fa019d3a411046689a19fe37fbba18ce55fb86aa4ec615920a54f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DCRat

Vendor detections: 15

Intelligence 15 IOCs 1 YARA 16 File information Comments

SHA256 hash:	418472f0b1fa019d3a411046689a19fe37fbba18ce55fb86aa4ec615920a54f5
SHA3-384 hash:	197d61c187783eaf694d7b242ad7cb1e392dd0cf29e8388dce4724b10fbc7b35eeda36026826aecfe9304539ba7a8bbc
SHA1 hash:	d770ca54e382dc4ec2cb948488195c80d6ae7d04
MD5 hash:	eb4f745cc74fcde052c74ddf873a7875
humanhash:	mockingbird-east-mexico-autumn
File name:	SapphirePluginInstaller.exe
Download:	download sample
Signature	DCRat Create hunting rule
File size:	2'411'274 bytes
First seen:	2025-09-01 13:21:48 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	12e12319f1029ec4f8fcbed7e82df162 (390 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep	24576:2TbBv5rUyXV1PSvGOovpxzKrOvx3elCOeVMSnrNZahXjMQwT7OSybzfSM+ghaCaO:IBJ1xVrxJ5rHsjDwT7jybzfSBkkzBS
Threatray	3'023 similar samples on MalwareBazaar
TLSH	T1A3B5C00A65964E73CAD53F3084DB002DD6B2F7613613EF1F365E21D9A8172B58F12AB2
TrID	89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39) 3.5% (.EXE) Win64 Executable (generic) (10522/11/4) 2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 1.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.5% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	skocherhan
Tags:	bitbucket-regsdgfdhg DCRat exe

skocherhan

https://bitbucket.org/regsdgfdhg/loader-ebat-ego-rot/downloads/SapphirePluginInstaller.exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://109.172.6.232/todb/line4/PythonDle57/PipeDbTemp/Pipesecure/LinuxCpuEternalprocess/Http/Generator/2/Track7Asynccentral/universal7mariadbphp/ExternalPipeBigloadflowertestDleCentraluploads.php	https://threatfox.abuse.ch/ioc/1579636/

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SapphirePluginInstaller.exe

Verdict:

Malicious activity

Analysis date:

2025-09-01 13:54:13 UTC

Tags:

auto-sch auto-reg

Link:

https://app.any.run/tasks/a8c241b0-2fcf-4e81-b253-5c3802af42b5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/24559/

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68b59e1deb163e0ec1840c9b

Tags:

autorun shell virus sage

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file

Creating a process from a recently created file

Running batch commands

Creating a process with a hidden window

Loading a suspicious library

Using the Windows Management Instrumentation requests

Launching a process

Unauthorized injection to a recently created process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Adding an exclusion to Microsoft Defender

Enabling autorun by creating a file

Enabling autorun

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/418472f0b1fa019d3a411046689a19fe37fbba18ce55fb86aa4ec615920a54f5

Verdict:

Malicious

File Type:

exe x32

First seen:

2024-08-30T11:38:00Z UTC

Last seen:

2024-08-30T11:38:00Z UTC

Hits:

~10

Detections:

Trojan-PSW.Win32.Coins.sb Trojan.Win32.Agent.sb HEUR:Trojan-PSW.MSIL.Disco.gen Backdoor.MSIL.DCRat.sb VHO:Trojan.Win32.Agent.gen

Link:

https://opentip.kaspersky.com/418472f0b1fa019d3a411046689a19fe37fbba18ce55fb86aa4ec615920a54f5/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/87b8c24e-c7b4-4a95-9c09-8af813b0e015

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/418472f0b1fa019d3a411046689a19fe37fbba18ce55fb86aa4ec615920a54f5

Verdict:

Malware

YARA:

9 match(es)

Tags:

.Net .Net Obfuscator .Net Reactor Executable Managed .NET Obfuscated PDB Path PE (Portable Executable) PE File Layout SOS: 0.90 VBScript Encoded Win 32 Exe WScript.Shell x86

Link:

https://app.malva.re/file/eb4f745cc74fcde052c74ddf873a7875

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/418472f0b1fa019d3a411046689a19fe37fbba18ce55fb86aa4ec615920a54f5/

Verdict:

Malicious

Threat:

Family.DCRAT

Link:

https://tip.neiki.dev/file/418472f0b1fa019d3a411046689a19fe37fbba18ce55fb86aa4ec615920a54f5

Threat name:

ByteCode-MSIL.Trojan.Vigorf

Status:

Malicious

First seen:

2024-08-30 11:42:43 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 36 (61.11%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=igchf4fr7iaz2osbcbdgrgqz7y37xoqyzzk7xbvkj3dbleqkkt2q._file

Verdict:

malicious

Label(s):

unc_loader_051

DCRat

679c3a35044700ac72a678c2d8d9be622e29648ff1f00bf10fdfbf89ca636036

DCRat

6959a2d02d817dc97a1247036d48ad3ac5d720fbf0f49039eec1570d0183109d

DCRat

79f1e0a06dfd7f4abd9753989c6c177f3a9c9de57d62d44a7583721966d77852

DCRat

811f30601dbe15e0d78bf4f8319caf3dbed4227af4c08bccf8e7b33229375576

DCRat

cf3490aa43bed478680fcaf4cb718d98929b4c6c1f1f235d7187179094eeab7d

DCRat

error

DCRat

+ 3'013 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

discovery execution persistence

Link:

https://tria.ge/reports/250901-qmnanswkz4/

Behaviour

Modifies registry class

Runs ping.exe

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Enumerates physical storage devices

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Drops file in Program Files directory

Drops file in Windows directory

Drops file in System32 directory

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

.NET Reactor proctector

Checks computer location settings

Executes dropped EXE

Command and Scripting Interpreter: PowerShell

Modifies WinLogon for persistence

Process spawned unexpected child process

Verdict:

Malicious

Tags:

rat dcrat Win.Trojan.Uztuby-9855059-0

YARA:

MAL_EXE_DCRat_Jul_08_2

Link:

https://app.threat.zone/submission/8cc07904-044c-435d-a148-0bde39782a4a

Unpacked files

SH256 hash:

418472f0b1fa019d3a411046689a19fe37fbba18ce55fb86aa4ec615920a54f5

MD5 hash:

eb4f745cc74fcde052c74ddf873a7875

SHA1 hash:

d770ca54e382dc4ec2cb948488195c80d6ae7d04

Link:

https://www.unpac.me/results/cc4adce1-e6fb-455f-95c0-cd7ebfdcb974/

SH256 hash:

7a446392ef60accfa67eb16fbe7237cae5f6b6968467c209ddd8d21a146c3d50

MD5 hash:

32719fe1585e8b6abdc0587fce37f745

SHA1 hash:

db8e3444372cb7c26b4516b7e6eb89b18445bcdf

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

INDICATOR_EXE_Packed_DotNetReactor

Link:

https://www.unpac.me/results/cc4adce1-e6fb-455f-95c0-cd7ebfdcb974/

SH256 hash:

7c95d3b38114e7e4126cb63aadaf80085ed5461ab0868d2365dd6a18c946ea3a

MD5 hash:

e9ce850db4350471a62cc24acb83e859

SHA1 hash:

55cdf06c2ce88bbd94acde82f3fea0d368e7ddc6

Link:

https://www.unpac.me/results/cc4adce1-e6fb-455f-95c0-cd7ebfdcb974/

SH256 hash:

2b93377ea087225820a9f8e4f331005a0c600d557242366f06e0c1eae003d669

MD5 hash:

d8bf2a0481c0a17a634d066a711c12e9

SHA1 hash:

7cc01a58831ed109f85b64fe4920278cedf3e38d

Link:

https://www.unpac.me/results/cc4adce1-e6fb-455f-95c0-cd7ebfdcb974/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/418472f0b1fa019d3a411046689a19fe37fbba18ce55fb86aa4ec615920a54f5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	dcrat_ Create hunting rule
Author:	Michelle Khalil
Description:	This rule detects unpacked dcrat malware samples.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	DotNet_Reactor Create hunting rule
Author:	@bartblaze
Description:	Identifies .NET Reactor, which offers .NET code protection such as obfuscation, encryption and so on.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_EXE_Packed_DotNetReactor Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with unregistered version of .NET Reactor

Rule name:	Lumma_Stealer_Detection Create hunting rule
Author:	ashizZz
Description:	Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:	https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PureCrypter Create hunting rule
Author:	@bartblaze
Description:	Identifies PureCrypter, .NET loader and obfuscator.
Reference:	https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SelfExtractingRAR Create hunting rule
Author:	Xavier Mertens
Description:	Detects an SFX archive with automatic script execution

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/24559/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample