MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ff9f7b3d5ee5db2673b8210539b617acffd690f2b125097d51a83b750fcfebb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DCRat

Vendor detections: 13

Intelligence 13 IOCs YARA 1 File information Comments

SHA256 hash:	7ff9f7b3d5ee5db2673b8210539b617acffd690f2b125097d51a83b750fcfebb
SHA3-384 hash:	3880c20cea9726c7a3e8d18ac0b782e85fca0d279281718b2aa077d1fcb60599bd0b50815f6e2be6ca3d139fbe57cd66
SHA1 hash:	72d7ea8236f816ad646bd7a89b3d80a9bb113d40
MD5 hash:	b3561957fa1dc56bde14108eea35c51f
humanhash:	black-butter-oxygen-batman
File name:	SysTask.vbs
Download:	download sample
Signature	DCRat Create hunting rule
File size:	1'267'042 bytes
First seen:	2026-01-03 17:42:35 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/plain
ssdeep	768:SLbLbLbLbLbLbLbLbLbLbLbLbLbLbLbLbLbLbLbLbLbLbLbLbLbLbLbLbLbLbLbY:J
Threatray	2'473 similar samples on MalwareBazaar
TLSH	T15F450CED9CA02944BE4976B48E7FDCBA9C035DAB3AFF036143F0519207246ADE436875
TrID	66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1) 33.3% (.MP3) MP3 audio (1000/1)
Magika	txt
Reporter	BlinkzSec
Tags:	91-92-243-117 DCRat vbs

Intelligence

File Origin

# of uploads :

# of downloads :

137

Origin country :

Vendor Threat Intelligence

No detections

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/47383/

Detection(s):

Sanesecurity.Malware.26618.JsHeur.UNOFFICIAL

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69595534e148d42004defd04

Tags:

dropper xtreme shell

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 evasive networm powershell ransomware

Link:

https://www.filescan.io/uploads/695955322fb7bb52ca8602ce/reports/e33b75df-52cd-4d3c-9589-606e8d1e1e1a/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/7ff9f7b3d5ee5db2673b8210539b617acffd690f2b125097d51a83b750fcfebb

Verdict:

Malicious

File Type:

unknown

First seen:

2025-12-23T16:25:00Z UTC

Last seen:

2026-01-04T07:16:00Z UTC

Hits:

~10

Detections:

Trojan-Downloader.JS.Cryptoload.sb Trojan.VBS.SAgent.sb Trojan.JS.SAgent.sb HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan.Script.Generic

Link:

https://opentip.kaspersky.com/7ff9f7b3d5ee5db2673b8210539b617acffd690f2b125097d51a83b750fcfebb/results?tab=lookup

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/7ff9f7b3d5ee5db2673b8210539b617acffd690f2b125097d51a83b750fcfebb

Verdict:

Malware

YARA:

3 match(es)

Tags:

DeObfuscated Obfuscated PowerShell Scripting.FileSystemObject T1059.005 VBS Execute Sub-Script VBScript WScript.Shell wscript.shell

Link:

https://app.malva.re/file/b3561957fa1dc56bde14108eea35c51f

Detection:

dcrat

Link:

https://mwdb.cert.pl/sample/7ff9f7b3d5ee5db2673b8210539b617acffd690f2b125097d51a83b750fcfebb/

Verdict:

Malicious

Threat:

Trojan-Downloader.JS.Cryptoload

Link:

https://tip.neiki.dev/file/7ff9f7b3d5ee5db2673b8210539b617acffd690f2b125097d51a83b750fcfebb

Threat name:

Script-WScript.Backdoor.Asyncrat

Status:

Suspicious

First seen:

2026-01-02 09:55:28 UTC

File Type:

Binary

AV detection:

8 of 38 (21.05%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=p747pm6v5zo3ezz3qiifhg3bplh722ipfmjfbf6vdkb3ouh4725q._file

Verdict:

malicious

Label(s):

dcrat

Result

Malware family:

asyncrat

Score:

10/10

Tags:

family:asyncrat botnet:fenix discovery execution persistence rat

Link:

https://tria.ge/reports/260106-kh8g6ayley/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Adds Run key to start application

Command and Scripting Interpreter: PowerShell

Legitimate hosting services abused for malware hosting/C2

Checks computer location settings

Drops startup file

Badlisted process makes network request

AsyncRat

Asyncrat family

Malware Config

C2 Extraction:

avefenix35630.duckdns.org:35630

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7ff9f7b3d5ee5db2673b8210539b617acffd690f2b125097d51a83b750fcfebb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

vbs 7ff9f7b3d5ee5db2673b8210539b617acffd690f2b125097d51a83b750fcfebb

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/47383/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample