MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9fd2f63fb1b73be1e960ab5a6572aa6968279e56a95bb846fa7ea4110ab867c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 17


Intelligence 17 IOCs 1 YARA 29 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9fd2f63fb1b73be1e960ab5a6572aa6968279e56a95bb846fa7ea4110ab867c
SHA3-384 hash: c4daa4e7f608997a29d2811faf4997d937f8e0ae016bd5ea44712055fe28334ada6b3ee953ef55d98e33ce3cd1765040
SHA1 hash: b57a55e1800330866a295c2da3e9a54d00bd1ab7
MD5 hash: b10428ac4662ff9894d262028d6326b7
humanhash: ink-florida-fix-carpet
File name:b10428ac4662ff9894d262028d6326b7.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:13'541'097 bytes
First seen:2025-05-01 07:01:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d59a4a699610169663a929d37c90be43 (75 x DCRat, 22 x njrat, 15 x SalatStealer)
ssdeep 196608:rz3FK9DhagLsA1Y5zXlPAZmwipIxXoSTlzdFfCtlIZ/9iZXK:vg9FagO9V4IhGx4ShrfTZ/9X
Threatray 1 similar samples on MalwareBazaar
TLSH T13FD6BE03FC9545A9D0AAA731C6A79252BB70BC480B3663D73B60F7382F727D06A79744
TrID 76.7% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
12.4% (.EXE) InstallShield setup (43053/19/16)
4.1% (.EXE) Win32 Executable Delphi generic (14182/79/4)
3.0% (.EXE) Win64 Executable (generic) (10522/11/4)
1.3% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://cs20315.tw1.ru/c51d18f4.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://cs20315.tw1.ru/c51d18f4.php https://threatfox.abuse.ch/ioc/1514380/

Intelligence

File Origin
# of uploads :
1
# of downloads :
334
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
2025-04-20_b10428ac4662ff9894d262028d6326b7_black-basta_chapak_cova_elex_hawkeye_luca-stealer_poet-rat
Verdict:
Malicious activity
Analysis date:
2025-04-20 18:12:39 UTC
Tags:
auto sliverfox dcrat rat auto-sch remote darkcrystal
Link:
https://app.any.run/tasks/f9a4262a-7dd0-47e6-b1f5-3b2b76a84e2c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DCRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/5408/
Detection(s):
SecuriteInfo.com.VBS.Encrypted.Gen.UNOFFICIAL
Create hunting rule

Win.Trojan.Uztuby-9855059-0
Create hunting rule

Win.Ransomware.Clinix-9868408-0
Create hunting rule

Win.Packed.Msilmamut-9950860-0
Create hunting rule

Win.Packed.Uztuby-9963900-0
Create hunting rule

Win.Packed.Uztuby-9969968-0
Create hunting rule

Win.Malware.Uztuby-9972880-0
Create hunting rule

Win.Trojan.DarkKomet-9976180-0
Create hunting rule

Win.Trojan.Uztuby-10010740-0
Create hunting rule

Win.Trojan.Injector-6297685-1
Create hunting rule

Win.Trojan.Agent-345883
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=680539172203b3e10cd1eb0a
Tags:
phishing autorun
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Searching for the window
Searching for synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Launching a process
Creating a file in the Program Files subdirectories
Creating a file in the Windows subdirectories
Unauthorized injection to a recently created process
Blocking the User Account Control
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
TrojanDropper.Delf
Link:
https://www.hybrid-analysis.com/sample/f9fd2f63fb1b73be1e960ab5a6572aa6968279e56a95bb846fa7ea4110ab867c
Malware family:
DCRat
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d39c5c82-85fb-44cc-b880-a5e3a593e626
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1679061
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Disable UAC(promptonsecuredesktop)
Disables UAC (registry)
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the user root directory
Drops PE files with benign system names
Found malware configuration
Installs new ROOT certificates
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Schedule system process
Suricata IDS alerts for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1679061 Sample: qGAJvmGSgT.exe Startdate: 01/05/2025 Architecture: WINDOWS Score: 100 74 api.github.com 2->74 78 Suricata IDS alerts for network traffic 2->78 80 Found malware configuration 2->80 82 Antivirus detection for URL or domain 2->82 84 10 other signatures 2->84 12 qGAJvmGSgT.exe 3 2->12         started        15 T5n1BHaDDN.exe 2->15         started        18 8VosvEmFVu7p.exe 2->18         started        20 5 other processes 2->20 signatures3 process4 file5 70 C:\Users\user\AppData\...\DCRatBuild.exe, PE32 12->70 dropped 72 C:\Users\user\AppData\...\Bootstrapper.exe, PE32+ 12->72 dropped 22 DCRatBuild.exe 3 6 12->22         started        26 Bootstrapper.exe 1 12->26         started        104 Antivirus detection for dropped file 15->104 106 Multi AV Scanner detection for dropped file 15->106 signatures6 process7 dnsIp8 58 C:\...\runtimedhcp.exe, PE32 22->58 dropped 60 C:\...\eER6NZHQG706vQ6m.vbe, data 22->60 dropped 94 Multi AV Scanner detection for dropped file 22->94 29 wscript.exe 1 22->29         started        76 api.github.com 140.82.114.5, 443, 49681 GITHUBUS United States 26->76 96 Antivirus detection for dropped file 26->96 98 Installs new ROOT certificates 26->98 32 conhost.exe 26->32         started        file9 signatures10 process11 signatures12 102 Windows Scripting host queries suspicious COM object (likely to drop second stage) 29->102 34 cmd.exe 1 29->34         started        process13 process14 36 runtimedhcp.exe 2 8 34->36         started        40 conhost.exe 34->40         started        file15 54 C:\Recovery\T5n1BHaDDN.exe, PE32 36->54 dropped 56 C:\...\otrgen1ABqkeZFRLtjPNKt2.exe, PE32 36->56 dropped 86 Antivirus detection for dropped file 36->86 88 Multi AV Scanner detection for dropped file 36->88 90 Drops PE files to the user root directory 36->90 92 5 other signatures 36->92 42 runtimedhcp.exe 17 36->42         started        signatures16 process17 file18 62 C:\Windows\bcastdvr\WmiPrvSE.exe, PE32 42->62 dropped 64 C:\Windows\ModemLogs\8VosvEmFVu7p.exe, PE32 42->64 dropped 66 C:\Users\user\lsass.exe, PE32 42->66 dropped 68 4 other malicious files 42->68 dropped 100 Drops executable to a common third party application directory 42->100 46 schtasks.exe 42->46         started        48 schtasks.exe 42->48         started        50 schtasks.exe 42->50         started        52 15 other processes 42->52 signatures19 process20
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f9fd2f63fb1b73be1e960ab5a6572aa6968279e56a95bb846fa7ea4110ab867c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f9fd2f63fb1b73be1e960ab5a6572aa6968279e56a95bb846fa7ea4110ab867c/
Threat name:
Win32.Backdoor.DCRat
Create hunting rule
Status:
Malicious
First seen:
2025-04-20 00:31:46 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
35 of 38 (92.11%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7h6s6y73dnz34huwbk22mvzku2lie6pfnkk3xbdpu7veceflqz6a._file
Verdict:
malicious
Label(s):
dcrat
Create hunting rule
Similar samples:
error
DCRat
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat defense_evasion discovery infostealer rat trojan
Link:
https://tria.ge/reports/250501-hty2ratnx8/
Behaviour
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Checks whether UAC is enabled
Checks computer location settings
Executes dropped EXE
DCRat payload
DcRat
Dcrat family
Process spawned unexpected child process
UAC bypass
Verdict:
Malicious
Tags:
Win.Trojan.Uztuby-9855059-0
YARA:
n/a
Link:
https://app.threat.zone/submission/810f3b37-c424-4aca-93e1-d39618bdd2a6
Unpacked files
SH256 hash:
f9fd2f63fb1b73be1e960ab5a6572aa6968279e56a95bb846fa7ea4110ab867c
MD5 hash:
b10428ac4662ff9894d262028d6326b7
SHA1 hash:
b57a55e1800330866a295c2da3e9a54d00bd1ab7
Link:
https://www.unpac.me/results/f8068650-768a-43f2-8008-0ecb970b381b/
SH256 hash:
37bde6655e1272e159b9c2e3a7eee3f4e9a837c0f04240645d3991d112287f8d
MD5 hash:
f2a6133b7f38fc49f792ae799d1b4750
SHA1 hash:
6bef46ddde325f45a0e9ff123112c96bbd47c795
Link:
https://www.unpac.me/results/f8068650-768a-43f2-8008-0ecb970b381b/
SH256 hash:
b11ad1adfa96eacf5f18cf87785884947a6d35a1baebf4f20f16402b04d5109f
MD5 hash:
89bf0f7e9adf290c6d571eccf79206a9
SHA1 hash:
65f95791234ff93bc3e35f1d35d7a6664872dc56
Detections:
win_xorist_auto
Create hunting rule
Link:
https://www.unpac.me/results/f8068650-768a-43f2-8008-0ecb970b381b/
Parent samples :
d5775aecd2e8d149e2b9ba576ddc2db3624a974cafc8fc1df318226fc2c6d4b4
8e997bef9ad61722cb7b782da93b7373acd19dbdc4cb91b47e80280e2100b6a3
5ba1b028da2c0e52c38c7a55bf1e7952cc50c907576ec2f22b6a25d691dde2d6
be15d47389920ab9637eefc24bbf6c191607013a3d2608c1243a377aacb5d4ce
f027301d00c6bc4b1c87e5e3266775f395907fa04e2c768b7082381d60880f82
b1088573c2e783e97fb07ccf1d8d8e9372ccd8983cc07c7ee9c6989a3844b334
e5c9d1b6f77188c03e94713b41f00afc6d12e6f82daf3604d5f34c584c2389ff
45e1440acf3453915252d0d61ffcee6fd96170ccf2323c16178dfaaa186565f8
1a659b2d6922bd1ea186c53148094c26733368e9099ea037a83912c02a59d410
f733fbe95a7fe8a2c0ef459b05fed88b7a295de5e39c591bf62d3e0a5575e6fc
658b0a01404144b5da03574e2a05b6c02030baa2276b9e047174c6ccb3e8918d
cf4efad0b9d74151b09be4acfb12d1aea2a9e316b97a2eb7f4ca8ac12b0e6d8c
381bb149e04bec8f62336cdf3c81741c2c7a471f6dacc2f7835eb174643abad7
284f083103d1c160d9e4721ecce515646ce451a1b7ddf9dd89817904e21a4a2d
1a39cff5d5b0b550cd9b30f08c0e32430c2e1b92aecc663d4151789e54d13f64
1b881d8c3ba53e9b250de6d1118a27738fd8e88fd475e3e01afabd4e627f83a2
e0abb4fa147097a4fb1758ed20b7d1a54f020d0de2d8144a2beaec404acb4d4c
2ec983b4653f6a5ee028e9ecfa37d8cf2404a10e9691bb8ed39023be643ef55e
797bbd3d5e08ab4919540911ab6149be0c6f38de3659378bf38fc5ac01ccee48
4cc156f578777710f3ce0c217664b9830ddfcab407f0c6de0cae10d5501d1ca1
4d908524b238846077a6fb1df34be93ae926e13c15bb8ac5c45a8980ef4862ce
581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892
8ac5083f52da0ff312259331f65b326782803aa837a7b371a6d43a021b0c24c3
7816a1291d7c035b81b68f8e5f65e10f952beb2bf1ce9d125bfe9d44a378ee9f
e1a60229372db9d65dbadfe6db923edf3987ac9f908878491bd12497613324d8
41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5
ab71530434f64e6aa105732c42dbb5a409ac0aae4258b3c3e7db1a7d5914cc30
3b88fdeb5144b0f3a710b42cefa937e57aed28001acb82562229472ce258a124
70fbebc77d5f37a0ffd373be6ee9f218a5ea30b86e395e7212b850f0f6934b6f
294003b3626890da222c7aeb34f7ac71cec614026c686fd88df269cc175a0e8c
a6ca0d0f6c47f310778e8d3a82f96ce6b6e70e1248a17f73fda6dff59653b761
9e90c1219aac375230e375f3d641f6b1edb2968acb41d542528ad744714c9b35
1d6628a6cd66f3dd7f3377ee1c30e8a92cedb1d40f5a121b84e5ab84a0e19909
841eb644979b3c640761762645c9cd26f9bb46e558eaeb7bf0c2a79e761878f4
1b304c8a2ae4546bd7958c7f22becaf6b682a5c88b7a01945a952de991b0ef0b
693cf45b243073eeb5479f4b29ff36c417b858b042363cf1a53d7623504a6d29
f9fd2f63fb1b73be1e960ab5a6572aa6968279e56a95bb846fa7ea4110ab867c
5680eb1ffa1fac4f1c5a78024331ff7dd8982138d89d2df4ec56996b44c9cc99
48be2502fad84657b383c41b2616f34a029f9a39d63aae1a1714faf7ba79e3da
SH256 hash:
e6b1a9e4e7f719fa3ee21963d274435d68cd26f6c8bd169f32c7838d9a3b1868
MD5 hash:
5f4235f04ce4b641223277ce28ac66f5
SHA1 hash:
d0080799717ad903a549864f8118bb3ae7b1622a
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/f8068650-768a-43f2-8008-0ecb970b381b/
Parent samples :
5c234afeb75068dca4cb4d42b921b0890e20f9fd126fbf1cc3c5e8987029ab47
f9fd2f63fb1b73be1e960ab5a6572aa6968279e56a95bb846fa7ea4110ab867c
Malware family:
DCRat
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f9fd2f63fb1b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:DotNet_Reactor
Create hunting rule
Author:@bartblaze
Description:Identifies .NET Reactor, which offers .NET code protection such as obfuscation, encryption and so on.
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:Lumma_Stealer_Detection
Create hunting rule
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:Njrat
Create hunting rule
Author:botherder https://github.com/botherder
Description:Njrat
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:PureCrypter
Create hunting rule
Author:@bartblaze
Description:Identifies PureCrypter, .NET loader and obfuscator.
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/5408/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::GetWindowsDirectoryA
kernel32.dll::GetSystemDirectoryA
kernel32.dll::GetTempPathA

Comments