MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eab87dd44560f33c6754aa5265f8d958cd900e06b9ab1dc7a221d0202ffc2e8a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 17


Intelligence 17 IOCs 1 YARA 21 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eab87dd44560f33c6754aa5265f8d958cd900e06b9ab1dc7a221d0202ffc2e8a
SHA3-384 hash: 64d583d95832ba0725f9741cf39a4c27d2f269a89797d3dde2cb5864f53da5bf72925bf9eafd2d45c673da401e850e5b
SHA1 hash: ddf4b77ac68a27fdce1704285f5bc93daabbfc0d
MD5 hash: 1ad42b39ef38e189b35f5948d6a77c8a
humanhash: bakerloo-sweet-nitrogen-alpha
File name:Hiddify-Windows-Setup.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:29'814'384 bytes
First seen:2025-09-11 14:21:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d59a4a699610169663a929d37c90be43 (76 x DCRat, 22 x njrat, 17 x SalatStealer)
ssdeep 786432:6q2cb7YGWlWVMKa1FVvmnq6oZPFF2fYrnGd0D:6HC78HTZmnq6iFCyHD
Threatray 2'698 similar samples on MalwareBazaar
TLSH T17767330276C39E36D2690B364563563D52F7A7213923EF0B3BA901D9DE077A04F7A263
TrID 55.4% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
22.4% (.EXE) Inno Setup installer (107240/4/30)
9.0% (.EXE) InstallShield setup (43053/19/16)
8.6% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
2.2% (.EXE) Win64 Executable (generic) (10522/11/4)
Magika pebin
Reporter burger
Tags:DCRat exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://512920cm.nyash.es/externalTogeoUpdateDefaultSqlwindowstestTrackUploads.php https://threatfox.abuse.ch/ioc/1588068/

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
Hiddify-Windows-Setup.exe
Verdict:
Malicious activity
Analysis date:
2025-09-11 14:21:53 UTC
Tags:
delphi inno installer dcrat rat auto-reg auto-sch github remote darkcrystal stealer evasion telegram exfiltration antivm golang
Link:
https://app.any.run/tasks/327e6f8f-4c5e-4fe7-80ff-ecab4df69896

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/26933/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c2db01b20052598879ced1
Tags:
vmdetect autorun
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Loading a suspicious library
Creating a file in the Program Files subdirectories
Creating a file in the Windows subdirectories
Using the Windows Management Instrumentation requests
Launching a process
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Enabling autorun
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm base64 fingerprint invalid-signature obfuscated packed reconnaissance signed
Link:
https://www.filescan.io/uploads/68c2db71dbc6f5a29c402adb/reports/2eb255cd-e9bb-4f05-a5ed-b86c2051e41c/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/eab87dd44560f33c6754aa5265f8d958cd900e06b9ab1dc7a221d0202ffc2e8a
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-10T11:42:00Z UTC
Last seen:
2025-09-10T11:42:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-PSW.MSIL.Disco.gen Trojan-Spy.Agent.HTTP.C&C Trojan-PSW.Disco.HTTP.C&C Trojan.MSIL.Dnoper.sb Backdoor.Agent.HTTP.C&C Trojan-Dropper.Win32.Delfea.sb Trojan-Dropper.Win32.Delf.eimp Trojan-Dropper.Win32.Agent.gen Backdoor.MSIL.DCRat.sb Trojan-PSW.DCRat.HTTP.C&C Trojan.Win32.Agent.sb HEUR:Trojan.Script.Agent.gen NetTool.TelegramSendPhoto.HTTP.C&C VHO:Backdoor.Win32.Agent.gen
Link:
https://opentip.kaspersky.com/eab87dd44560f33c6754aa5265f8d958cd900e06b9ab1dc7a221d0202ffc2e8a/results?tab=lookup
Result
Threat name:
DCRat, PureLog Stealer, zgRAT
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1775695
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Detected unpacking (creates a PE file in dynamic memory)
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Infects executable files (exe, dll, sys, html)
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1775695 Sample: Hiddify-Windows-Setup.exe Startdate: 11/09/2025 Architecture: WINDOWS Score: 100 154 api.telegram.org 2->154 156 api.ip.sb 2->156 158 5 other IPs or domains 2->158 172 Suricata IDS alerts for network traffic 2->172 174 Found malware configuration 2->174 176 Antivirus detection for dropped file 2->176 180 14 other signatures 2->180 12 Hiddify-Windows-Setup.exe 3 2->12         started        15 Idle.exe 2->15         started        18 7HQnTujalO3aZ11r6Dkid.exe 2->18         started        20 5 other processes 2->20 signatures3 178 Uses the Telegram API (likely for C&C communication) 154->178 process4 file5 146 2 other malicious files 12->146 dropped 22 Hiddify-Windows-Setup-x64.exe 2 12->22         started        25 VPN.exe 3 11 12->25         started        134 C:\Users\user\Desktop\xJlfuDDd.log, PE32 15->134 dropped 136 C:\Users\user\Desktop\fwKaahiO.log, PE32 15->136 dropped 138 C:\Users\user\Desktop\WTBlqnSg.log, PE32 15->138 dropped 148 4 other malicious files 15->148 dropped 212 Multi AV Scanner detection for dropped file 15->212 214 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->214 216 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 15->216 28 cmd.exe 15->28         started        140 C:\Users\user\Desktop\rcNhhDWg.log, PE32 18->140 dropped 142 C:\Users\user\Desktop\htuRxbRy.log, PE32 18->142 dropped 144 C:\Users\user\Desktop\awGRUMWJ.log, PE32 18->144 dropped 150 4 other malicious files 18->150 dropped 30 cmd.exe 18->30         started        signatures6 process7 file8 120 C:\Users\...\Hiddify-Windows-Setup-x64.tmp, PE32 22->120 dropped 32 Hiddify-Windows-Setup-x64.tmp 28 374 22->32         started        122 C:\Users\user\AppData\...\mschainCommon.exe, PE32 25->122 dropped 124 FhJqaTYnZizTp91yu3...NJngdaiTmONRH6l.vbe, data 25->124 dropped 190 Multi AV Scanner detection for dropped file 25->190 35 wscript.exe 1 25->35         started        38 Idle.exe 28->38         started        41 conhost.exe 28->41         started        192 Drops executables to the windows directory (C:\Windows) and starts them 30->192 43 conhost.exe 30->43         started        45 7HQnTujalO3aZ11r6Dkid.exe 30->45         started        signatures9 process10 dnsIp11 104 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 32->104 dropped 106 C:\...\window_manager_plugin.dll (copy), PE32+ 32->106 dropped 108 C:\...\vcruntime140_1.dll (copy), PE32+ 32->108 dropped 116 36 other malicious files 32->116 dropped 47 sc.exe 32->47         started        49 taskkill.exe 32->49         started        51 Hiddify.exe 32->51         started        55 net.exe 32->55         started        182 Windows Scripting host queries suspicious COM object (likely to drop second stage) 35->182 184 Suspicious execution chain found 35->184 57 cmd.exe 35->57         started        166 api.telegram.org 149.154.167.220, 443, 49714 TELEGRAMRU United Kingdom 38->166 168 512920cm.nyash.es 104.21.30.213, 49704, 49705, 49706 CLOUDFLARENETUS United States 38->168 170 ipinfo.io 34.117.59.81, 443, 49711 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 38->170 110 C:\Users\user\Desktop\uZuxsslb.log, PE32 38->110 dropped 112 C:\Users\user\Desktop\dSdSZGFM.log, PE32 38->112 dropped 114 C:\Users\user\Desktop\SeybpuKe.log, PE32 38->114 dropped 118 4 other malicious files 38->118 dropped 186 Tries to harvest and steal browser information (history, passwords, etc) 38->186 file12 signatures13 process14 dnsIp15 59 mschainCommon.exe 47->59         started        63 conhost.exe 47->63         started        65 conhost.exe 47->65         started        67 conhost.exe 49->67         started        160 o4505891494100992.ingest.sentry.io 34.120.195.249, 443, 49703 GOOGLEUS United States 51->160 162 raw.githubusercontent.com 185.199.110.133, 443, 49695 FASTLYUS Netherlands 51->162 164 api.ip.sb.cdn.cloudflare.net 104.26.13.31, 443, 49694, 49696 CLOUDFLARENETUS United States 51->164 188 Query firmware table information (likely to detect VMs) 51->188 69 conhost.exe 55->69         started        71 net1.exe 55->71         started        signatures16 process17 file18 126 C:\Windows\SKB\...\7HQnTujalO3aZ11r6Dkid.exe, PE32 59->126 dropped 128 C:\Users\user\Desktop\yODEmxMv.log, PE32 59->128 dropped 130 C:\Users\user\Desktop\kptxvYHV.log, PE32 59->130 dropped 132 10 other malicious files 59->132 dropped 204 Multi AV Scanner detection for dropped file 59->204 206 Detected unpacking (creates a PE file in dynamic memory) 59->206 208 Creates an undocumented autostart registry key 59->208 210 3 other signatures 59->210 73 cmd.exe 59->73         started        76 csc.exe 59->76         started        79 powershell.exe 59->79         started        83 5 other processes 59->83 81 svchost.exe 67->81 injected signatures19 process20 file21 194 Uses ping.exe to sleep 73->194 196 Uses ping.exe to check the status of other devices and networks 73->196 98 4 other processes 73->98 152 C:\Windows\...\SecurityHealthSystray.exe, PE32 76->152 dropped 198 Infects executable files (exe, dll, sys, html) 76->198 85 conhost.exe 76->85         started        87 cvtres.exe 76->87         started        200 Loading BitLocker PowerShell Module 79->200 100 2 other processes 79->100 89 consent.exe 81->89         started        92 conhost.exe 83->92         started        94 conhost.exe 83->94         started        96 conhost.exe 83->96         started        102 2 other processes 83->102 signatures22 process23 signatures24 202 Writes to foreign memory regions 89->202
Score:
79%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/eab87dd44560f33c6754aa5265f8d958cd900e06b9ab1dc7a221d0202ffc2e8a
Verdict:
Malware
YARA:
9 match(es)
Tags:
.Net .Net Obfuscator .Net Reactor Executable Managed .NET Obfuscated PDB Path PE (Portable Executable) PE File Layout SOS: 0.84 VBScript Encoded Win 32 Exe WScript.Shell x86
Link:
https://app.malva.re/file/1ad42b39ef38e189b35f5948d6a77c8a
Gathering data
Verdict:
Malicious
Threat:
Family.DCRAT
Link:
https://tip.neiki.dev/file/eab87dd44560f33c6754aa5265f8d958cd900e06b9ab1dc7a221d0202ffc2e8a
Threat name:
Win32.Trojan.Dorv
Create hunting rule
Status:
Malicious
First seen:
2025-09-10 18:39:28 UTC
File Type:
PE (Exe)
Extracted files:
413
AV detection:
33 of 37 (89.19%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5k4h3vcfmdztyz2uvjjgl6gzldgzadqgxgvr3r5cehical74f2fa._file
Verdict:
malicious
Label(s):
unc_loader_051
Create hunting rule
Similar samples:
0c2bc77b457a5c275fa8420bdd7a9b4635a1246af0a7548da4c95705252456f2
DCRat
26fbcc5e8567054c4de9a8514704645e69ffe5eaf91b595d047c90150175c0fa
DCRat
6959a2d02d817dc97a1247036d48ad3ac5d720fbf0f49039eec1570d0183109d
DCRat
811f30601dbe15e0d78bf4f8319caf3dbed4227af4c08bccf8e7b33229375576
DCRat
cf3490aa43bed478680fcaf4cb718d98929b4c6c1f1f235d7187179094eeab7d
DCRat
error
DCRat
+ 2'688 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat defense_evasion discovery execution infostealer persistence rat spyware stealer
Link:
https://tria.ge/reports/250911-rytghazr17/
Behaviour
Kills process with taskkill
Modifies registry class
Runs net.exe
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
.NET Reactor proctector
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Stops running service(s)
DcRat
Dcrat family
Modifies WinLogon for persistence
Process spawned unexpected child process
Verdict:
Malicious
Tags:
Win.Packed.Uztuby-10009381-0
YARA:
n/a
Link:
https://app.threat.zone/submission/df87c554-ee00-4a5b-a9f9-18e5ba893617
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:dcrat_
Create hunting rule
Author:Michelle Khalil
Description:This rule detects unpacked dcrat malware samples.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:DotNet_Reactor
Create hunting rule
Author:@bartblaze
Description:Identifies .NET Reactor, which offers .NET code protection such as obfuscation, encryption and so on.
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with unregistered version of .NET Reactor
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PureCrypter
Create hunting rule
Author:@bartblaze
Description:Identifies PureCrypter, .NET loader and obfuscator.
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/26933/

Comments