MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9cbc9ef4eae8d3c279ccf6322af7423193bcd71cabf4b5daf90e9794047d145. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a9cbc9ef4eae8d3c279ccf6322af7423193bcd71cabf4b5daf90e9794047d145
SHA3-384 hash: 974df0ad614d18f3d6cd4e2ec5cc3f44c9a9e678babe8d7b701792abafd31e2b6d2f33fb1b6336d1e59c6466c8427687
SHA1 hash: c1581be7b65a194e01dbbb02bef97ad01d82a051
MD5 hash: 172ca69d99fe1ed84986f69ca8120f04
humanhash: beryllium-sodium-yellow-eighteen
File name:lets_安装.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:37'937'719 bytes
First seen:2025-10-23 14:35:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d221b1dc8c3a08622f6512e7876527c8 (3 x ZhongStealer, 2 x ValleyRAT, 1 x CoinMiner)
ssdeep 786432:IiVcvv2WSKw3ObiNV6pmniAZryaRSDyK5xaMR5x+6i1PaNyK:IiVcvuGw3ObiNV6MniAZr2DyK3aCi1PU
TLSH T1DC8733290715897AE9A8847421F709EBA7FE1B3F4F44DC029F9F12EED6FA14C48C0A55
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter aachum
Tags:CHN exe letsvpn-dev VenomRAT


Avatar
iamaachum
https://letsvpn.dev/download => https://letsvpn.dev/lest_Install.zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
lets_安装.exe
Verdict:
Malicious activity
Analysis date:
2025-10-23 14:36:04 UTC
Tags:
auto-reg delphi
Link:
https://app.any.run/tasks/e016c2a9-f322-4f36-803e-89ae7fda172e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68fa3d493bdc93eb056381a0
Tags:
shell micro madi sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file in the %AppData% directory
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Moving a recently created file
Sending a custom TCP request
Searching for the window
Searching for analyzing tools
Enabling the 'hidden' option for recently created files
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Connection attempt
Setting a global event handler for the keyboard
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug blackhole installer microsoft_visual_cc overlay overlay packed
Link:
https://www.filescan.io/uploads/68fa3d56fd2d7e012f4cded8/reports/93be2fa6-efd3-48e5-9f66-36abf13558de/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/a9cbc9ef4eae8d3c279ccf6322af7423193bcd71cabf4b5daf90e9794047d145
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-23T11:52:00Z UTC
Last seen:
2025-10-24T05:15:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Agent.sb Trojan.Agent.TCP.C&C Backdoor.Win32.Zegost.sb Backdoor.MSIL.Crysan.loq Trojan-Dropper.Win32.Dapato.sgid PDM:Trojan.Win32.Generic Trojan.Win32.Shellcode.sb Trojan.Win32.Gatak.sb Backdoor.MSIL.Crysan.sb UDS:DangerousObject.Multi.Generic Trojan.Win32.RokRat.sb Trojan.Win32.Mansabo.sb Trojan.Win32.AntiAV.sb
Link:
https://opentip.kaspersky.com/a9cbc9ef4eae8d3c279ccf6322af7423193bcd71cabf4b5daf90e9794047d145/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1800677
Signature
Accesses sensitive object manager directories (likely to detect virtual machines)
Bypasses PowerShell execution policy
Changes security center settings (notifications, updates, antivirus, firewall)
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the DNS server
Modifies the windows firewall
Performs a network lookup / discovery via ARP
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sample is not signed and drops a device driver
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1800677 Sample: lets_#U5b89#U88c5.exe Startdate: 23/10/2025 Architecture: WINDOWS Score: 56 142 yandex.com 2->142 144 www.yandex.com 2->144 146 9 other IPs or domains 2->146 160 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 2->160 162 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 2->162 164 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 2->164 166 Joe Sandbox ML detected suspicious sample 2->166 12 lets_#U5b89#U88c5.exe 14 2->12         started        15 svchost.exe 2->15         started        17 svchost.exe 2->17         started        20 5 other processes 2->20 signatures3 process4 file5 134 C:\Users\user\AppData\Roaming\eTfk.exe, PE32 12->134 dropped 136 C:\Users\user\AppData\RoamingFbl.exe, PE32 12->136 dropped 138 C:\Users\user\AppData\Local\...\genteert.dll, PE32 12->138 dropped 140 2 other files (none is malicious) 12->140 dropped 22 eTfk.exe 10 304 12->22         started        26 cmd.exe 1 12->26         started        28 EFbl.exe 2 12->28         started        30 drvinst.exe 15->30         started        32 drvinst.exe 15->32         started        156 Changes security center settings (notifications, updates, antivirus, firewall) 17->156 34 MpCmdRun.exe 17->34         started        158 Modifies the DNS server 20->158 36 LetsPRO.exe 20->36         started        signatures6 process7 file8 100 C:\Program Files (x86)\...\tap0901.sys, PE32+ 22->100 dropped 102 C:\Program Files (x86)\...\LetsPRO.exe, PE32 22->102 dropped 104 C:\Program Files (x86)\...\LetsPRO.exe.config, XML 22->104 dropped 116 223 other files (1 malicious) 22->116 dropped 168 Bypasses PowerShell execution policy 22->168 170 Modifies the windows firewall 22->170 172 Sample is not signed and drops a device driver 22->172 38 LetsPRO.exe 22->38         started        40 powershell.exe 22->40         started        43 tapinstall.exe 22->43         started        55 8 other processes 22->55 174 Uses ping.exe to sleep 26->174 176 Uses ping.exe to check the status of other devices and networks 26->176 178 Uses netsh to modify the Windows network and firewall settings 26->178 182 2 other signatures 26->182 46 PING.EXE 26->46         started        49 conhost.exe 26->49         started        106 C:\Users\user\AppData\Local\Temp\...Fbl.tmp, PE32 28->106 dropped 51 EFbl.tmp 3 4 28->51         started        108 C:\Windows\System32\...\tap0901.sys (copy), PE32+ 30->108 dropped 110 C:\Windows\System32\drivers\SET555B.tmp, PE32+ 30->110 dropped 180 Accesses sensitive object manager directories (likely to detect virtual machines) 30->180 112 C:\Windows\System32\...\tap0901.sys (copy), PE32+ 32->112 dropped 114 C:\Windows\System32\...\SET462A.tmp, PE32+ 32->114 dropped 53 conhost.exe 34->53         started        signatures9 process10 dnsIp11 57 LetsPRO.exe 38->57         started        184 Loading BitLocker PowerShell Module 40->184 61 conhost.exe 40->61         started        128 C:\Users\user\AppData\...\tap0901.sys (copy), PE32+ 43->128 dropped 130 C:\Users\user\AppData\Local\...\SET4474.tmp, PE32+ 43->130 dropped 63 conhost.exe 43->63         started        154 127.0.0.1 unknown unknown 46->154 186 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 46->186 188 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 46->188 190 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 46->190 65 cmd.exe 46->65         started        67 WMIC.exe 46->67         started        69 cmd.exe 46->69         started        74 2 other processes 46->74 132 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 51->132 dropped 71 EFbl.exe 2 51->71         started        76 13 other processes 55->76 file12 signatures13 process14 dnsIp15 148 119.29.29.29, 49692, 53 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN China 57->148 150 23.98.101.63, 443, 49706 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 57->150 152 12 other IPs or domains 57->152 192 Loading BitLocker PowerShell Module 57->192 194 Performs a network lookup / discovery via ARP 65->194 78 conhost.exe 65->78         started        80 ARP.EXE 65->80         started        196 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 67->196 82 conhost.exe 67->82         started        84 conhost.exe 69->84         started        86 ipconfig.exe 69->86         started        118 C:\Users\user\AppData\Local\Temp\...Fbl.tmp, PE32 71->118 dropped 88 EFbl.tmp 5 9 71->88         started        91 conhost.exe 74->91         started        93 ROUTE.EXE 74->93         started        file16 signatures17 process18 file19 120 C:\ProgramData\231\a2guard.exe (copy), PE32+ 88->120 dropped 122 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 88->122 dropped 124 C:\ProgramData\231\log.dll (copy), PE32 88->124 dropped 126 4 other files (none is malicious) 88->126 dropped 95 a2guard.exe 1 88->95         started        process20 signatures21 198 Maps a DLL or memory area into another process 95->198 200 Found direct / indirect Syscall (likely to bypass EDR) 95->200 98 svchost.exe 95->98 injected process22
Score:
23%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/a9cbc9ef4eae8d3c279ccf6322af7423193bcd71cabf4b5daf90e9794047d145
Gathering data
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/a9cbc9ef4eae8d3c279ccf6322af7423193bcd71cabf4b5daf90e9794047d145
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-10-23 14:35:53 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
8 of 37 (21.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vhf4t32ov2gtyj44z5rsfl3uemmtxtlrzk7uwxnpsduxsqch2fcq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution persistence privilege_escalation spyware trojan
Link:
https://tria.ge/reports/251023-rylrnatjby/
Behaviour
Checks SCSI registry key(s)
Gathers network information
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Checks installed software on the system
Network Service Discovery
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Drops file in Drivers directory
Modifies Windows Firewall
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/20b1fffc-3273-4b20-b002-8a26efe93b07
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a9cbc9ef4eae/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a9cbc9ef4eae8d3c279ccf6322af7423193bcd71cabf4b5daf90e9794047d145

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe a9cbc9ef4eae8d3c279ccf6322af7423193bcd71cabf4b5daf90e9794047d145

(this sample)

DCRat

Executable exe 6ff6f1c3645aba69a76956ec87d2932a9ed58c61a56a30bc7cc3f89d539510fb

  
Link
https://tria.ge/251023-rvjswsfp4x/behavioral1
  
Delivery method
Distributed via web download
  
Dropping
SHA256 6ff6f1c3645aba69a76956ec87d2932a9ed58c61a56a30bc7cc3f89d539510fb
  
Dropping
MD5 b4095bc79e4171de3735c14068a646f0

Comments