MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ff6f1c3645aba69a76956ec87d2932a9ed58c61a56a30bc7cc3f89d539510fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6ff6f1c3645aba69a76956ec87d2932a9ed58c61a56a30bc7cc3f89d539510fb
SHA3-384 hash: 89e6a1c3285c91b958c11f4f044932b2bcf74005285bff253858c6d845e870ee1de1e8846f1b8a8dc318f67cb415ecf8
SHA1 hash: 797fa4ff832ddd41bf8d060bc981b58fc5f2e0de
MD5 hash: b4095bc79e4171de3735c14068a646f0
humanhash: fish-neptune-uncle-winter
File name:EFbl.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:21'802'532 bytes
First seen:2025-10-23 14:44:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e8ac1646024d52d1534a88da2e8037cd (7 x OffLoader, 7 x HijackLoader, 5 x Tofsee)
ssdeep 393216:2DD1yr+j7lqBQ6KQDwIgK5rPSwFR5kSZE6i1hMKnM3JFPe4nNi/8UHU:Vr+j7RUDyK5raAR5v+6i1VmNe8iJU
TLSH T150273327A20DA33FE469463916735DA085BF6F20551ACC63DAE42E4CCE3D0A90D7EF46
TrID 60.0% (.EXE) Inno Setup installer (107240/4/30)
23.2% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
5.8% (.EXE) Win64 Executable (generic) (10522/11/4)
3.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.5% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter aachum
Tags:CHN DCRat exe letsvpn-dev VenomRAT


Avatar
iamaachum
https://letsvpn.dev/download => https://letsvpn.dev/lest_Install.zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
125
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
lets_安装.exe
Verdict:
Malicious activity
Analysis date:
2025-10-23 14:36:04 UTC
Tags:
auto-reg delphi
Link:
https://app.any.run/tasks/e016c2a9-f322-4f36-803e-89ae7fda172e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/33912/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68fa3dcf6c859164aa638cd9
Tags:
dropper overt sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Restart of the analyzed sample
Creating a process with a hidden window
Creating a file
Moving a recently created file
Moving a file to the %temp% subdirectory
Searching for the window
Searching for analyzing tools
Enabling the 'hidden' option for recently created files
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Connection attempt
Sending a custom TCP request
Setting a global event handler for the keyboard
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-debug embarcadero_delphi fingerprint innosetup installer overlay packed zero
Link:
https://www.filescan.io/uploads/68fa3f5d3a79800405f32f4b/reports/107bdfc1-6262-46b2-ae40-43a07c9706ae/overview
Verdict:
Suspicious
Labled as:
Backdoor.MSIL.XWorm.gen
Link:
https://www.hybrid-analysis.com/sample/6ff6f1c3645aba69a76956ec87d2932a9ed58c61a56a30bc7cc3f89d539510fb
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-23T11:47:00Z UTC
Last seen:
2025-10-23T13:53:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Shellcode.sb Trojan.Win32.RokRat.sb Trojan.Win32.Mansabo.sb Trojan.Win32.AntiAV.sb Trojan.Agent.TCP.C&C Trojan.Win32.Gatak.sb Trojan.Win32.Agent.sb Backdoor.Win32.Zegost.sb Backdoor.MSIL.Crysan.sb UDS:DangerousObject.Multi.Generic Backdoor.MSIL.Crysan.loq Trojan.Win32.AntiAV.dccq
Link:
https://opentip.kaspersky.com/6ff6f1c3645aba69a76956ec87d2932a9ed58c61a56a30bc7cc3f89d539510fb/results?tab=lookup
Result
Threat name:
DcRat, VenomRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1800685
Signature
.NET source code contains potential unpacker
Contains functionality to log keystrokes (.Net Source)
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected DcRat
Yara detected VenomRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1800685 Sample: EFbl.exe Startdate: 23/10/2025 Architecture: WINDOWS Score: 100 49 Suricata IDS alerts for network traffic 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 5 other signatures 2->55 11 EFbl.exe 2 2->11         started        process3 file4 43 C:\Users\user\AppData\Local\Temp\...Fbl.tmp, PE32 11->43 dropped 14 EFbl.tmp 3 4 11->14         started        process5 file6 45 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 14->45 dropped 17 EFbl.exe 2 14->17         started        process7 file8 33 C:\Users\user\AppData\Local\Temp\...Fbl.tmp, PE32 17->33 dropped 20 EFbl.tmp 5 9 17->20         started        process9 file10 35 C:\ProgramData\231\a2guard.exe (copy), PE32+ 20->35 dropped 37 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 20->37 dropped 39 C:\ProgramData\231\log.dll (copy), PE32 20->39 dropped 41 4 other files (none is malicious) 20->41 dropped 23 a2guard.exe 1 20->23         started        process11 signatures12 57 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 23->57 59 Maps a DLL or memory area into another process 23->59 61 Found direct / indirect Syscall (likely to bypass EDR) 23->61 26 svchost.exe 23->26 injected process13 signatures14 63 Maps a DLL or memory area into another process 26->63 29 RuntimeBroker.exe 1 6 26->29 injected process15 dnsIp16 47 156.239.14.6, 49691, 49695, 56003 MISAKAEU Seychelles 29->47 65 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 29->65 signatures17
Score:
89%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6ff6f1c3645aba69a76956ec87d2932a9ed58c61a56a30bc7cc3f89d539510fb
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/b4095bc79e4171de3735c14068a646f0
Gathering data
Verdict:
Clean
Link:
https://tip.neiki.dev/file/6ff6f1c3645aba69a76956ec87d2932a9ed58c61a56a30bc7cc3f89d539510fb
Threat name:
Win32.Worm.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-10-23 14:38:06 UTC
File Type:
PE (Exe)
AV detection:
6 of 38 (15.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n73pdq3elk5gtj3jk3wipuutfkpnlddbuvvdbpd4yp4j2u4vcd5q._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/251023-r4hl7aex6b/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fb5013c3-8568-4879-bd57-c80b4cbe1efa
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6ff6f1c3645a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6ff6f1c3645aba69a76956ec87d2932a9ed58c61a56a30bc7cc3f89d539510fb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe a9cbc9ef4eae8d3c279ccf6322af7423193bcd71cabf4b5daf90e9794047d145

DCRat

Executable exe 6ff6f1c3645aba69a76956ec87d2932a9ed58c61a56a30bc7cc3f89d539510fb

(this sample)

  
Link
https://tria.ge/251023-rxlehafp6x/behavioral1
  
Dropped by
SHA256 a9cbc9ef4eae8d3c279ccf6322af7423193bcd71cabf4b5daf90e9794047d145
  
Delivery method
Distributed via web download
  
Dropped by
MD5 172ca69d99fe1ed84986f69ca8120f04
Cape
Cape
https://www.capesandbox.com/analysis/33912/

Comments