MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9875282eec8dd6f9c8586ecc389cb28816c9feb7ce4ddff6720c47c4942d380. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 17


Intelligence 17 IOCs 1 YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9875282eec8dd6f9c8586ecc389cb28816c9feb7ce4ddff6720c47c4942d380
SHA3-384 hash: abafaddbda2d51eb39e6c0ccb88a1c612e16547e4cf1a1ae724ea5f1b2143271632f55dcf54f7775b1904c8d08acc7b7
SHA1 hash: 915f4e6668b0ff621d1fd770732c7c22cef7e46a
MD5 hash: e445665faf3ae1bc3e8cbd68b3d29a0b
humanhash: edward-ten-cat-oregon
File name:0f9875282eec8dd6f9c8586ecc389cb28816c9feb7ce4.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:2'046'976 bytes
First seen:2025-09-17 09:20:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'643 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 49152:gF2tzxZ8+KP2e5fAtQDifQ4JG49Jn7w6WgP:gkRVy58hYKZMh2
TLSH T15D95BF1665925F32C7642B318697013D82D0DB627A52EB0F391F24D3A90BBF4EB725B3
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter abuse_ch
Tags:DCRat exe RAT


Avatar
abuse_ch
DCRat C2:
http://202.181.148.70/sanya.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://202.181.148.70/sanya.php https://threatfox.abuse.ch/ioc/1593297/

Intelligence

File Origin
# of uploads :
1
# of downloads :
114
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
1666ad4be7201336bcf4def825d23189.exe
Verdict:
Malicious activity
Analysis date:
2025-09-17 07:48:13 UTC
Tags:
dcrat rat remote darkcrystal
Link:
https://app.any.run/tasks/5cde02cc-8ccb-44d8-9972-d6a967c4aaff

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/27888/
Detection(s):
Sanesecurity.Malware.30425.UnRegNetReactor.UNOFFICIAL
Create hunting rule

Win.Packed.Uztuby-10009381-0
Create hunting rule

Win.Packed.Uztuby-10015486-0
Create hunting rule

Win.Packed.Uztuby-10015902-0
Create hunting rule

Win.Packed.Uztuby-10017372-0
Create hunting rule

Win.Packed.Uztuby-10017373-0
Create hunting rule

Win.Packed.Zusy-10023527-0
Create hunting rule

Win.Dropper.HawkEye-10027238-0
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68ca7d6888b954439247233a
Tags:
shell sage hype
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Creating a file in the Windows subdirectories
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a process from a recently created file
Loading a suspicious library
Connection attempt
Sending an HTTP POST request
Sending a UDP request
Unauthorized injection to a recently created process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
cryptor_detected net_reactor obfuscated obfuscated obfuscated packed packed
Link:
https://www.filescan.io/uploads/68ca7d5e0d1238ff0aada889/reports/9423fc62-61ff-4e22-b0c1-2b3ea9258390/overview
Verdict:
Malicious
Labled as:
Trojan.MSIL.Basic.8
Link:
https://www.hybrid-analysis.com/sample/f9875282eec8dd6f9c8586ecc389cb28816c9feb7ce4ddff6720c47c4942d380
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-12T18:20:00Z UTC
Last seen:
2025-09-12T18:20:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/f9875282eec8dd6f9c8586ecc389cb28816c9feb7ce4ddff6720c47c4942d380/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/12b7c64a-b840-4e33-a05a-90a159d0dccf
Result
Threat name:
DCRat, PureLog Stealer, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1779103
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Suricata IDS alerts for network traffic
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1779103 Sample: 0f9875282eec8dd6f9c8586ecc3... Startdate: 17/09/2025 Architecture: WINDOWS Score: 100 105 Suricata IDS alerts for network traffic 2->105 107 Found malware configuration 2->107 109 Antivirus detection for URL or domain 2->109 111 11 other signatures 2->111 14 0f9875282eec8dd6f9c8586ecc389cb28816c9feb7ce4.exe 4 24 2->14         started        process3 file4 91 C:\Users\user\Desktop\kTLTKyNc.log, PE32 14->91 dropped 93 C:\Users\user\DesktopmlgjGQj.log, PE32 14->93 dropped 95 C:\Users\user\AppData\...\WmiPrvSE.exe, PE32 14->95 dropped 97 10 other malicious files 14->97 dropped 17 cmd.exe 1 14->17         started        process5 signatures6 101 Uses ping.exe to sleep 17->101 103 Uses ping.exe to check the status of other devices and networks 17->103 20 0f9875282eec8dd6f9c8586ecc389cb28816c9feb7ce4.exe 14 7 17->20         started        24 w32tm.exe 1 17->24         started        26 conhost.exe 17->26         started        28 chcp.com 1 17->28         started        process7 dnsIp8 99 202.181.148.70, 49716, 49720, 49721 HKCIX-AS-APHongKongCommercialInternetExchangeHK Hong Kong 20->99 73 C:\Users\user\Desktop\tlDbAofq.log, PE32 20->73 dropped 75 C:\Users\user\Desktop\BRkIPigd.log, PE32 20->75 dropped 77 C:\Users\user\AppData\...\RvL1cycbdY.bat, DOS 20->77 dropped 30 cmd.exe 1 20->30         started        file9 process10 process11 32 0f9875282eec8dd6f9c8586ecc389cb28816c9feb7ce4.exe 7 30->32         started        35 w32tm.exe 1 30->35         started        37 conhost.exe 30->37         started        39 chcp.com 1 30->39         started        file12 67 C:\Users\user\Desktop\wsMrAdzO.log, PE32 32->67 dropped 69 C:\Users\user\Desktop\nSctukUl.log, PE32 32->69 dropped 71 C:\Users\user\AppData\...\e1ZPDUpkB4.bat, DOS 32->71 dropped 41 cmd.exe 1 32->41         started        process13 signatures14 115 Uses ping.exe to sleep 41->115 44 0f9875282eec8dd6f9c8586ecc389cb28816c9feb7ce4.exe 41->44         started        47 conhost.exe 41->47         started        49 chcp.com 41->49         started        51 PING.EXE 41->51         started        process15 file16 85 C:\Users\user\DesktopbehaviorgraphzRrZxmY.log, PE32 44->85 dropped 87 C:\Users\user\Desktop\BmJIDwDc.log, PE32 44->87 dropped 89 C:\Users\user\AppData\...\VzpByHn75i.bat, DOS 44->89 dropped 53 cmd.exe 44->53         started        process17 signatures18 113 Uses ping.exe to sleep 53->113 56 0f9875282eec8dd6f9c8586ecc389cb28816c9feb7ce4.exe 53->56         started        59 conhost.exe 53->59         started        61 chcp.com 53->61         started        63 PING.EXE 53->63         started        process19 file20 79 C:\Users\user\Desktop\tdNKeulS.log, PE32 56->79 dropped 81 C:\Users\user\Desktop\gnwlZzlp.log, PE32 56->81 dropped 83 C:\Users\user\AppData\...\b2RsHXtgrT.bat, DOS 56->83 dropped 65 cmd.exe 56->65         started        process21
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f9875282eec8dd6f9c8586ecc389cb28816c9feb7ce4ddff6720c47c4942d380
Verdict:
Malware
YARA:
13 match(es)
Tags:
.Net .Net Obfuscator .Net Reactor Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.84 Win 32 Exe x86
Link:
https://app.malva.re/file/e445665faf3ae1bc3e8cbd68b3d29a0b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f9875282eec8dd6f9c8586ecc389cb28816c9feb7ce4ddff6720c47c4942d380/
Threat name:
ByteCode-MSIL.Trojan.DCRat
Create hunting rule
Status:
Malicious
First seen:
2025-09-13 00:04:08 UTC
File Type:
PE (.Net Exe)
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7gdvfaxozdow7hefq3wmhcolfcawzh7lptsn373hedchyskc2oaa._file
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat discovery infostealer rat
Link:
https://tria.ge/reports/250917-la26vabl21/
Behaviour
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Program Files directory
.NET Reactor proctector
Checks computer location settings
Executes dropped EXE
DcRat
Dcrat family
Verdict:
Malicious
Tags:
rat dcrat Win.Packed.Uztuby-10009381-0 DCRat
YARA:
MAL_EXE_DCRat_Jul_08_2
Link:
https://app.threat.zone/submission/88f4c0e0-ab2f-4567-9e67-941fe8c0d17b
Unpacked files
SH256 hash:
f9875282eec8dd6f9c8586ecc389cb28816c9feb7ce4ddff6720c47c4942d380
MD5 hash:
e445665faf3ae1bc3e8cbd68b3d29a0b
SHA1 hash:
915f4e6668b0ff621d1fd770732c7c22cef7e46a
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Link:
https://www.unpac.me/results/31fe892a-8265-4579-9d3f-4e64377d0f54/
Parent samples :
cfc77b951766dcdaee1adc05717ebb379972293ea21f8967dfc507e3b1f5e424
f9875282eec8dd6f9c8586ecc389cb28816c9feb7ce4ddff6720c47c4942d380
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f9875282eec8dd6f9c8586ecc389cb28816c9feb7ce4ddff6720c47c4942d380

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DotNet_Reactor
Create hunting rule
Author:@bartblaze
Description:Identifies .NET Reactor, which offers .NET code protection such as obfuscation, encryption and so on.
Rule name:INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with unregistered version of .NET Reactor
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:PureCrypter
Create hunting rule
Author:@bartblaze
Description:Identifies PureCrypter, .NET loader and obfuscator.
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:TH_Generic_MassHunt_Webshells_2025_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic multi-language webshell mass-hunt rule (PHP/ASP(X)/JSP/Python/Perl/Node) - 2025
Reference:https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/27888/

Comments