MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b1bfc840ebe3750b60cda847df58d782cd9228e5c0ee5873bad581d72d3e6e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 16


Intelligence 16 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b1bfc840ebe3750b60cda847df58d782cd9228e5c0ee5873bad581d72d3e6e4
SHA3-384 hash: d5f50f6e2c5fd75d2bfdec9fc9b85a0ee097e31ce58d698b3d26de99b9547639ca29f2b6fe03efd5a464ab2799b030fe
SHA1 hash: 533eed955be40cdb1917fc82ca80456878231e89
MD5 hash: bfb883cddc2967fc7e1d43a739abb545
humanhash: south-network-jersey-kentucky
File name:pkbc.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:5'978'528 bytes
First seen:2025-05-07 01:31:03 UTC
Last seen:2025-05-07 01:35:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0c6d9d416fc2bbaad624e187901fdd94 (3 x DCRat, 2 x AsyncRAT)
ssdeep 98304:DTJPJob5n/ID+9Q94oBJwibFqV49p3O9RW9Fwfv8soW95xh71mVl:DTBJ2QD+9K4oc+FqV49p3Oy68T257kVl
Threatray 49 similar samples on MalwareBazaar
TLSH T121560190766192D7D402BC3D293CAB40D0ADEC5B0E63779BF6D041F87A1E6494BF6632
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
dhash icon 696a6ee2b2b2c2cc (18 x RedLineStealer, 17 x LummaStealer, 16 x CoinMiner)
Reporter JAMESWT_WT
Tags:80-64-18-173 booking ClickFix DCRat exe FakeCaptcha signed

Code Signing Certificate

Organisation:Valve
Issuer:Steam
Algorithm:sha256WithRSAEncryption
Valid from:2024-07-24T21:37:41Z
Valid to:2035-05-03T21:37:41Z
Serial number: 841286abb6b8000f4714ac745820dad70cc2bad3
Thumbprint Algorithm:SHA256
Thumbprint: ad15db8a9e1c7304e1c82c616cfd578c207f5ee396b39632df5d57dc97e26977
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
498
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
7b1bfc840ebe3750b60cda847df58d782cd9228e5c0ee5873bad581d72d3e6e4.exe
Verdict:
Malicious activity
Analysis date:
2025-05-07 01:59:49 UTC
Tags:
auto-startup asyncrat
Link:
https://app.any.run/tasks/6cab233a-1ff1-4b7b-9649-caaa9de9e703

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.26578.15651.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=681ab879432e243ac3e4c088
Tags:
asyncrat autorun
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Launching a process
Creating a process with a hidden window
Creating a file
Сreating synchronization primitives
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm crypt fingerprint microsoft_visual_cc packed packed packer_detected self-signed-cert signed
Link:
https://www.filescan.io/uploads/681ab7df0b64e174c41af3cc/reports/9b12ae18-9082-4165-bd31-6d9a1aa6c033/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/7b1bfc840ebe3750b60cda847df58d782cd9228e5c0ee5873bad581d72d3e6e4
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/eb5dded8-90b8-4b51-bfb4-4dc0888c9dda
Result
Threat name:
AsyncRAT, DcRat
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1682824
Signature
AI detected suspicious PE digital signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected Costura Assembly Loader
Yara detected DcRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1682824 Sample: pkbc.exe Startdate: 07/05/2025 Architecture: WINDOWS Score: 100 35 pki-goog.l.google.com 2->35 37 c.pki.goog 2->37 41 Suricata IDS alerts for network traffic 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 10 other signatures 2->47 9 pkbc.exe 11 2->9         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\DeleteApp.url, MS 9->29 dropped 31 C:\Users\user\AppData\...\yhgtalvp.cmdline, Unicode 9->31 dropped 33 C:\Users\user\AppData\Local\...\pkbc.exe.log, CSV 9->33 dropped 49 Writes to foreign memory regions 9->49 51 Allocates memory in foreign processes 9->51 53 Injects a PE file into a foreign processes 9->53 13 MSBuild.exe 2 9->13         started        16 csc.exe 3 9->16         started        signatures6 process7 dnsIp8 39 80.64.18.173, 49689, 8848 RU-TAGNET-ASRU Russian Federation 13->39 19 WMIC.exe 1 13->19         started        27 C:\Users\user\AppData\Local\...\yhgtalvp.dll, PE32 16->27 dropped 21 conhost.exe 16->21         started        23 cvtres.exe 1 16->23         started        file9 process10 process11 25 conhost.exe 19->25         started       
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7b1bfc840ebe3750b60cda847df58d782cd9228e5c0ee5873bad581d72d3e6e4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7b1bfc840ebe3750b60cda847df58d782cd9228e5c0ee5873bad581d72d3e6e4/
Threat name:
Win64.Backdoor.Asyncrat
Create hunting rule
Status:
Malicious
First seen:
2025-05-06 00:56:49 UTC
File Type:
PE+ (Exe)
Extracted files:
13
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pmn7zbaoxy3vbnqm3kch35mnpawnsiuolqholbz3vvmb24wt43sa._file
Verdict:
malicious
Label(s):
boratrat
Create hunting rule
asyncrat
Create hunting rule
Similar samples:
0f1073c5cacf5009f6097cf771b71ab18e3350fd445935ce72ac1b45fd175291
DCRat
30886b41903e414dc4fe410d9a85bfdc7bbaf96e1ae7130564160a97af8f75fd
DCRat
326f6f4666110d3946f684fa450fa2f5e207b6fcbc6a8170a5df22c0fcc19385
DCRat
3695e634b502f0df0f10f5445ce9aacadff5a52fcc07870b791d52bef0e4cc47
DCRat
440c3df99e39d7adbbd231ab92b01c2e70e276703e8b5831822bba1facc7e1b9
DCRat
47df6745dadac5d8ecb9c264fc93304916ea5f3be98d6fac73e24c1149cb49a8
DCRat
7b1bfc840ebe3750b60cda847df58d782cd9228e5c0ee5873bad581d72d3e6e4
DCRat
d539d8a4e3ca4d3b94d072bdf9638ef870f3a77967ea1c9bdf606b892bcb016d
DCRat
dee3485407d08fdd07f00447ffa96d0ae48a7aa6c0e8fd5bd7e510adfc9a5e9f
DCRat
error
DCRat
+ 39 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default discovery rat
Link:
https://tria.ge/reports/250507-bxghjsej8v/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Drops startup file
AsyncRat
Asyncrat family
Malware Config
C2 Extraction:
80.64.18.173:8848
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b0b1d548-3aa9-4783-a792-be54b9f854c8
Unpacked files
SH256 hash:
9772170ed25dab68c6242626031fcc4d1fbba11592c886c268ec5d4a89e4b34f
MD5 hash:
cf5f5e0ed43cf6e0adf04076088b92a0
SHA1 hash:
2db9c48a9dcf603281bad13d167dbb6155539ff1
Link:
https://www.unpac.me/results/7fa8b109-eee6-4f55-a7d0-3dbd7a61effa/
SH256 hash:
7b1bfc840ebe3750b60cda847df58d782cd9228e5c0ee5873bad581d72d3e6e4
MD5 hash:
bfb883cddc2967fc7e1d43a739abb545
SHA1 hash:
533eed955be40cdb1917fc82ca80456878231e89
Link:
https://www.unpac.me/results/7fa8b109-eee6-4f55-a7d0-3dbd7a61effa/
Malware family:
DCRat
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7b1bfc840ebe/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DCRAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7b1bfc840ebe3750b60cda847df58d782cd9228e5c0ee5873bad581d72d3e6e4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dcrat
Create hunting rule
Author:jeFF0Falltrades
Rule name:dcrat_kingrat
Create hunting rule
Author:jeFF0Falltrades
Rule name:dcrat_rkp
Create hunting rule
Author:jeFF0Falltrades
Description:Detects DCRat payloads
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
Author:ditekSHen
Description:Detects executables attemping to enumerate video devices using WMI
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Generic_Threat_ce98c4bc
Create hunting rule
Author:Elastic Security
Rule name:win_asyncrat_unobfuscated
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in unobfuscated AsyncRat Samples. Rule may also pick up on other Asyncrat-derived malware (Dcrat/venom etc)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW

Comments