MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 66112715198d24f63a299bd8074989cfefcd45a3c1c985a75e438f66d4ec0165. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 19


Intelligence 19 IOCs 1 YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 66112715198d24f63a299bd8074989cfefcd45a3c1c985a75e438f66d4ec0165
SHA3-384 hash: 9560c3cb6369b4fbde70855ff76579ec9c7f17db1247764531fe5b0beaa2b378ec355086000fa71122d3f48363798e1a
SHA1 hash: cd1f746ee649ba9401a083e11836c2bdd5f37a37
MD5 hash: 33508e39c87bd89ce7320408b5628aba
humanhash: alaska-hamper-video-oscar
File name:x66112715198d24f63a299bd8074989cfefcd45a3c1c9.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'524'885 bytes
First seen:2026-04-17 17:27:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (907 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:82G/nvxW3Wc2l9xq5Tmp2RgPSHBwZebflzSndcsX+4f:8bA312zMm/PKbflzwdcsu0
Threatray 638 similar samples on MalwareBazaar
TLSH T12B655B023A4ADD52C0791A37C9EF443547BCBD413BA6CB2A7A9F335D64123AB4D0D6CA
TrID 92.3% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
2.2% (.EXE) Win64 Executable (generic) (6522/11/2)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4504/4/1)
0.7% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon 4146cc3090010101 (1 x DCRat)
Reporter abuse_ch
Tags:DCRat exe RAT


Avatar
abuse_ch
DCRat C2:
http://a0571516.xsph.ru/PythonsecureProcessorgeneratoruniversal.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://a0571516.xsph.ru/PythonsecureProcessorgeneratoruniversal.php https://threatfox.abuse.ch/ioc/1793631/

Intelligence

File Origin
# of uploads :
1
# of downloads :
166
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
Archives NETReactor
Details
Archives
SFX commands and extracted archive contents
NETReactor
decrypted strings
Link:
https://research.acce.ciphertechsolutions.com/results/1f396995-be30-488c-b7c7-ba44989a194d/
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
x66112715198d24f63a299bd8074989cfefcd45a3c1c985a75e438f66d4ec0165.exe
Verdict:
Malicious activity
Analysis date:
2026-04-17 10:25:20 UTC
Tags:
auto-sch auto-reg rat dcrat remote darkcrystal
Link:
https://app.any.run/tasks/b573178e-5681-4f11-97f6-e507bbc9a899

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DCRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/62012/
Detection(s):
SecuriteInfo.com.VBS.Encrypted.Gen.UNOFFICIAL
Create hunting rule

Win.Malware.Uztuby-9848412-0
Create hunting rule

Win.Packed.Uztuby-9851623-0
Create hunting rule

Win.Trojan.Uztuby-9855059-0
Create hunting rule

Win.Ransomware.Clinix-9868408-0
Create hunting rule

Win.Packed.Uztuby-9875336-0
Create hunting rule

Win.Packed.Uztuby-9877681-0
Create hunting rule

Win.Packed.Basic-9886886-0
Create hunting rule

Win.Packed.Basic-9887353-0
Create hunting rule

Win.Packed.Uztuby-9937390-0
Create hunting rule

Win.Malware.Uztuby-9939317-0
Create hunting rule

Win.Trojan.Uztuby-10010740-0
Create hunting rule

YARA.SIGNATURE_BASE_SUSP_NET_Msil_Suspicious_Use_Strreverse.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69e20a8ef68adfe1003ab8da
Tags:
phishing autorun
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Creating a file
Using the Windows Management Instrumentation requests
Launching a process
Creating a file in the Program Files subdirectories
Creating a file in the system32 subdirectories
Creating a file in the Windows subdirectories
DNS request
Connecting to a non-recommended domain
Connection attempt
Sending an HTTP GET request
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/66112715198d24f63a299bd8074989cfefcd45a3c1c985a75e438f66d4ec0165
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-04-15T09:23:00Z UTC
Last seen:
2026-04-19T13:39:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Spy.MSIL.Agent.sb HEUR:Backdoor.Win32.DCRat.gen Trojan.MSIL.Dnoper.sb Trojan.Win32.Agent.sb PDM:Trojan.Win32.Generic HEUR:Backdoor.MSIL.LightStone.gen Backdoor.MSIL.DCRat.sb Backdoor.MSIL.DCRat.b
Link:
https://opentip.kaspersky.com/66112715198d24f63a299bd8074989cfefcd45a3c1c985a75e438f66d4ec0165/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/22bdb7ec-9b16-4f8c-b4c3-2220ac97bab5
Result
Threat name:
DCRat, KeyLogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1900349
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates an autostart registry key pointing to binary in C:\Windows
Creates multiple autostart registry keys
Creates processes via WMI
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential Privilege Escalation using Task Scheduler highest RunLevel
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
WScript reads language and country specific registry keys (likely country aware script)
Yara detected DCRat
Yara detected Keylogger Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1900349 Sample: x66112715198d24f63a299bd807... Startdate: 17/04/2026 Architecture: WINDOWS Score: 100 65 a0571516.xsph.ru 2->65 73 Suricata IDS alerts for network traffic 2->73 75 Found malware configuration 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 13 other signatures 2->79 11 x66112715198d24f63a299bd8074989cfefcd45a3c1c9.exe 3 10 2->11         started        15 cmd.exe 2->15         started        17 conhost.exe 2->17         started        19 14 other processes 2->19 signatures3 process4 dnsIp5 53 C:\Users\...\HostdhcpCommonSvcdllCommon.exe, PE32 11->53 dropped 55 C:\Users\user\...553AqNL0HVu9lTwPHci3QiBX.vbe, data 11->55 dropped 85 Drops executable to a common third party application directory 11->85 22 wscript.exe 1 11->22         started        87 Antivirus detection for dropped file 15->87 89 Multi AV Scanner detection for dropped file 15->89 67 a0571516.xsph.ru 141.8.197.42, 49686, 49689, 49692 SPRINTHOSTRU Russian Federation 19->67 file6 signatures7 process8 signatures9 81 Windows Scripting host queries suspicious COM object (likely to drop second stage) 22->81 83 WScript reads language and country specific registry keys (likely country aware script) 22->83 25 cmd.exe 1 22->25         started        process10 process11 27 HostdhcpCommonSvcdllCommon.exe 6 16 25->27         started        31 conhost.exe 25->31         started        file12 57 C:\ProgramData\...\conhost.exe, PE32 27->57 dropped 59 C:\Program Files\...\4L3mhFlbRMcqya.exe, PE32 27->59 dropped 61 C:\...\QVfGNF6Xi4DRKwg.exe, PE32 27->61 dropped 63 2 other malicious files 27->63 dropped 91 Antivirus detection for dropped file 27->91 93 Multi AV Scanner detection for dropped file 27->93 95 Creates multiple autostart registry keys 27->95 97 3 other signatures 27->97 33 HostdhcpCommonSvcdllCommon.exe 4 14 27->33         started        signatures13 process14 file15 45 C:\Windows\System32\WMSPDMOD\dasHost.exe, PE32 33->45 dropped 47 C:\Recovery\uQydmaDVBqqBn.exe, PE32 33->47 dropped 49 C:\Program Files (x86)\...\naNxsCuHkGzId.exe, PE32 33->49 dropped 51 C:\Program Files (x86)\...\CsychqaAkL4.exe, PE32 33->51 dropped 69 Creates multiple autostart registry keys 33->69 71 Creates an autostart registry key pointing to binary in C:\Windows 33->71 37 schtasks.exe 33->37         started        39 schtasks.exe 33->39         started        41 schtasks.exe 33->41         started        43 2 other processes 33->43 signatures16 process17
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/66112715198d24f63a299bd8074989cfefcd45a3c1c985a75e438f66d4ec0165
Verdict:
Malware
YARA:
8 match(es)
Tags:
.Net .Net Obfuscator .Net Reactor Executable Managed .NET Obfuscated PDB Path PE (Portable Executable) PE File Layout SOS: 0.91 VBScript Encoded Win 32 Exe WScript.Shell x86
Link:
https://app.malva.re/file/33508e39c87bd89ce7320408b5628aba
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/66112715198d24f63a299bd8074989cfefcd45a3c1c985a75e438f66d4ec0165/
Verdict:
Malicious
Threat:
Family.DCRAT
Link:
https://tip.neiki.dev/file/66112715198d24f63a299bd8074989cfefcd45a3c1c985a75e438f66d4ec0165
Threat name:
ByteCode-MSIL.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2026-04-17 10:25:23 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
30 of 38 (78.95%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=myisofizruspmorjtpmaosmjz7x42rndyheylj26iohwnvhmafsq._file
Verdict:
malicious
Label(s):
dcrat
Create hunting rule
Similar samples:
0b976213f5961eb9720219d2624463ec6acc8947004710c7e9885746e2e27234
DCRat
3842802e7361274e141d7b500af86e3835472e3cae874bb9e36a5c5d6216e330
DCRat
40f9c1d0e2e988dbd82d8a37141cf4b03e8cff1f427424ea0966c44cac999b8f
DCRat
4cba3cb0188c4a064f6dd99ead74f76156d73019e15eec1a3653b28c8ac7a112
DCRat
4cced7c39444bc55a0cd79b0384b24517e355e0d70ab20019af96f2a7c181cd8
DCRat
65dee75f5d4f0d7e0c1065a689ebe79f67c87a4d3d9654193164128e859a0ddd
DCRat
f653378fd0d70ad1d3f3f86a34ad7b0031358612e8f9d08f692c486207a991e8
DCRat
f98183a2ad674f8aae6ad47e7da8b48c80175148ba333f0f57b3e6eca64bfaa6
DCRat
+ 628 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat discovery execution infostealer persistence rat
Link:
https://tria.ge/reports/260417-v1ww7aes9r/
Behaviour
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
DCRat payload
Family: DcRat
Process spawned unexpected child process
Unpacked files
SH256 hash:
c64b1a92e90b5e76ec26f3b475ad3b220e0d6a8b4d1214beee8bdbf540054e74
MD5 hash:
7e74eb0a740713f832b74573303733f5
SHA1 hash:
9d175158276ef39c8b70fc69bb9be45369f7a64f
Link:
https://www.unpac.me/results/8912376d-d42a-411e-befd-21680a7024dd/
SH256 hash:
7fd0fc13d0906eea98eb4226e95898b5ac6b2dc85427885431576db8af888e97
MD5 hash:
7937f3df7951b365bd0e45058778dee2
SHA1 hash:
cab870c5203ad2a328d49d89d2123604eb8d7109
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
SUSP_NET_Msil_Suspicious_Use_StrReverse
Create hunting rule
Link:
https://www.unpac.me/results/8912376d-d42a-411e-befd-21680a7024dd/
SH256 hash:
66112715198d24f63a299bd8074989cfefcd45a3c1c985a75e438f66d4ec0165
MD5 hash:
33508e39c87bd89ce7320408b5628aba
SHA1 hash:
cd1f746ee649ba9401a083e11836c2bdd5f37a37
Link:
https://www.unpac.me/results/8912376d-d42a-411e-befd-21680a7024dd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/66112715198d24f63a299bd8074989cfefcd45a3c1c985a75e438f66d4ec0165

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:DotNet_Reactor
Create hunting rule
Author:@bartblaze
Description:Identifies .NET Reactor, which offers .NET code protection such as obfuscation, encryption and so on.
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PureCrypter
Create hunting rule
Author:@bartblaze
Description:Identifies PureCrypter, .NET loader and obfuscator.
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SUSP_NET_Msil_Suspicious_Use_StrReverse
Create hunting rule
Author:dr4k0nia, modified by Florian Roth
Description:Detects mixed use of Microsoft.CSharp and VisualBasic to use StrReverse
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/62012/

Comments