MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f0f3951ba8bd012f30d3a7fe30b0ab88bbbf74c6ec47766608f683e5e7532ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DCRat

Vendor detections: 19

Intelligence 19 IOCs 1 YARA 12 File information Comments

SHA256 hash:	4f0f3951ba8bd012f30d3a7fe30b0ab88bbbf74c6ec47766608f683e5e7532ed
SHA3-384 hash:	c3b2236d46d24753505265d62f1017f6d432ad6562b0b3bb95a95763f1b7a2861172858a6aeea02f76b285908ca5011c
SHA1 hash:	062c10002ac8a5d6c113e4625fb91b021aa2b8e0
MD5 hash:	23a65de56445b1e23d1a8140595b4d3a
humanhash:	tennessee-triple-december-fourteen
File name:	file
Download:	download sample
Signature	DCRat Create hunting rule
File size:	1'965'872 bytes
First seen:	2026-01-09 06:03:59 UTC
Last seen:	2026-01-09 06:06:07 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	12e12319f1029ec4f8fcbed7e82df162 (430 x NirCmd, 392 x DCRat, 52 x RedLineStealer)
ssdeep	24576:2TbBv5rUyXV9oGk5cjjyNhYUs8a+o9C4me5IEM1oXSPSVPO+Z/79g9jRmmC9F4E0:IBJ9fjjjesme1M1ISPGOy/769jRmxaE0
Threatray	4'022 similar samples on MalwareBazaar
TLSH	T10E959D16B5924E72C2A12B354697033D43A5DB223652FF1B371F2192B85B7F18E732A3
TrID	89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39) 3.5% (.EXE) Win64 Executable (generic) (10522/11/4) 2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 1.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.5% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	Bitsight
Tags:	DCRat dropped-by-amadey exe fbf543

Bitsight

url: http://130.12.180.43/files/7469098119/l4yt0RV.exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://103.27.157.193/jsUpdateprocessorsqlwindowsgeneratordle.php	https://threatfox.abuse.ch/ioc/1693418/

Intelligence

File Origin

# of uploads :

# of downloads :

134

Origin country :

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/0cab8493-2a98-4a77-9706-293209e9e769/

Malware family:

dcrat

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2026-01-09 06:04:23 UTC

Tags:

rat dcrat remote darkcrystal

Link:

https://app.any.run/tasks/e07c25ab-32ae-4808-b4db-89d5b879aa06

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/48243/

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69609a759922425f92ff1041

Tags:

injection shell sage

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file

Creating a process from a recently created file

Running batch commands

Creating a process with a hidden window

Creating a file in the Program Files subdirectories

Creating a file in the %temp% directory

Launching a process

Unauthorized injection to a recently created process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm base64 crypt evasive fingerprint installer installer installer-heuristic krypt microsoft_visual_cc obfuscated overlay overlay packed reconnaissance sfx

Link:

https://www.filescan.io/uploads/69609a7247c44dd4f7752e8c/reports/b2ff8965-4256-450d-8c6b-af612fc6d641/overview

Verdict:

Malicious

Labled as:

Application.FCA.3561;Trojan.Uztuby.Generic

Link:

https://www.hybrid-analysis.com/sample/4f0f3951ba8bd012f30d3a7fe30b0ab88bbbf74c6ec47766608f683e5e7532ed

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-01-09T03:09:00Z UTC

Last seen:

2026-01-09T03:22:00Z UTC

Hits:

~10

Detections:

Trojan.Win32.Agent.sb HEUR:Trojan-PSW.MSIL.Disco.gen HEUR:Trojan.Script.Agent.gen Backdoor.MSIL.DCRat.sb Backdoor.Agent.HTTP.C&C

Link:

https://opentip.kaspersky.com/4f0f3951ba8bd012f30d3a7fe30b0ab88bbbf74c6ec47766608f683e5e7532ed/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/f0cf2e3c-306e-4343-bbf4-30f98e96b886

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/4f0f3951ba8bd012f30d3a7fe30b0ab88bbbf74c6ec47766608f683e5e7532ed

Verdict:

Malware

YARA:

9 match(es)

Tags:

.Net .Net Obfuscator .Net Reactor Executable Managed .NET Obfuscated PDB Path PE (Portable Executable) PE File Layout SOS: 0.85 VBScript Encoded Win 32 Exe WScript.Shell x86

Link:

https://app.malva.re/file/23a65de56445b1e23d1a8140595b4d3a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4f0f3951ba8bd012f30d3a7fe30b0ab88bbbf74c6ec47766608f683e5e7532ed/

Verdict:

Malicious

Threat:

Family.DCRAT

Link:

https://tip.neiki.dev/file/4f0f3951ba8bd012f30d3a7fe30b0ab88bbbf74c6ec47766608f683e5e7532ed

Threat name:

Win32.Backdoor.DCRat

Status:

Malicious

First seen:

2026-01-09 06:04:34 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=j4htsun2rpibf4ynhj76gcykxcf3x52mn3choztar5ud4xtvglwq._file

Verdict:

malicious

Label(s):

unc_loader_051

unc_loader_078

DCRat

490cc90ecbedb6ad1943b5f76b40e415ae0bb6e7588d869e01094b0aa8604686

DCRat

6959a2d02d817dc97a1247036d48ad3ac5d720fbf0f49039eec1570d0183109d

DCRat

8a430f25ff38968cf6b7e97afc3e05ab1a6c0602909ce10e2b5462ed549b28cb

DCRat

c5459027c35683913329262f49c116bc3c4309b5bb641e448016c6c9fb7acb89

DCRat

error

DCRat

+ 4'012 additional samples on MalwareBazaar

Result

Malware family:

dcrat

Score:

10/10

Tags:

family:dcrat discovery infostealer rat

Link:

https://tria.ge/reports/260109-gswpkahy8a/

Behaviour

Modifies registry class

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Drops file in Program Files directory

Drops file in Windows directory

.NET Reactor proctector

Checks computer location settings

Executes dropped EXE

DcRat

Dcrat family

Verdict:

Malicious

Tags:

rat dcrat DCRat Win.Packed.Uztuby-10009381-0

YARA:

MAL_EXE_DCRat_Jul_08_2

Link:

https://app.threat.zone/submission/bcc9b4c5-8239-4546-a40c-cf9fc37650d9

Unpacked files

SH256 hash:

4f0f3951ba8bd012f30d3a7fe30b0ab88bbbf74c6ec47766608f683e5e7532ed

MD5 hash:

23a65de56445b1e23d1a8140595b4d3a

SHA1 hash:

062c10002ac8a5d6c113e4625fb91b021aa2b8e0

Link:

https://www.unpac.me/results/fcb19e4c-553e-49ee-9feb-46f6ce5406ad/

SH256 hash:

be66d62e437c61610341885f8cec93d142556b382ac15d3fff4414225e3d8a6c

MD5 hash:

b7cc2142a2d6e806b831184a40644b34

SHA1 hash:

698cd9a6c8e10d6507ad1655ea0e6ac9b15e1c15

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

INDICATOR_EXE_Packed_DotNetReactor

Link:

https://www.unpac.me/results/fcb19e4c-553e-49ee-9feb-46f6ce5406ad/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4f0f3951ba8bd012f30d3a7fe30b0ab88bbbf74c6ec47766608f683e5e7532ed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	DotNet_Reactor Create hunting rule
Author:	@bartblaze
Description:	Identifies .NET Reactor, which offers .NET code protection such as obfuscation, encryption and so on.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_EXE_Packed_DotNetReactor Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with unregistered version of .NET Reactor

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PureCrypter Create hunting rule
Author:	@bartblaze
Description:	Identifies PureCrypter, .NET loader and obfuscator.
Reference:	https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SelfExtractingRAR Create hunting rule
Author:	Xavier Mertens
Description:	Detects an SFX archive with automatic script execution

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)