{
	"id": "b349b2cb-e414-40ae-bd46-5f7507017e70",
	"created_at": "2026-04-06T00:09:37.254838Z",
	"updated_at": "2026-04-10T03:22:08.398317Z",
	"deleted_at": null,
	"sha1_hash": "ddb7b22e647802f42776611d470777dfbfaacefb",
	"title": "DCRAT malware Evades SandBox that use Fake Internet by using the Google public DNS IP address....",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1349686,
	"plain_text": "DCRAT malware Evades SandBox that use Fake Internet by using\r\nthe Google public DNS IP address....\r\nPublished: 2019-10-02 · Archived: 2026-04-05 22:05:31 UTC\r\nIn past few days, I saw a nice post by @James_inthe_box regarding DCRAT malware, that may do several thing\r\nbase on the IOC strings he shared in that post. I fetch it today and I found a interesting technique it use to evade\r\nsandbox that using fake internet to spoof internet connection for malware analysis.\r\nhttps://twitter.com/James_inthe_box/status/1178275531692756992?s=20\r\nfigure 3: The digital signature of daaca.exe\r\nThe Evasion Technique:\r\nthe obfuscated code start by decrypting the initial API it needs and also the google public host name to fetch the\r\nDNS information of it later.\r\nhttps://tccontre.blogspot.com/2019/10/dcrat-malware-evades-sandbox-that-use.html\r\nPage 1 of 7\n\nfigure 4: initial API and the google public host name string\r\nThen it will resolve all the API and do gethostbyname to the google public domain name \"google-public-dns-a.google.com\" to retrieve its DNS information and used the h_addr_list to decrypt the code that will decompress\r\nthe DCloader and its .DLL component\r\nfigure 5: retrieving DNS information to the google public dns domain name.\r\nThe decrypted code will load 2 Virtual Allocated memories to decompress its code using RtlDecompressBuffer\r\nApi.\r\nhttps://tccontre.blogspot.com/2019/10/dcrat-malware-evades-sandbox-that-use.html\r\nPage 2 of 7\n\nfigure 6 : retrieving hostent of the google public DNS\r\nfigure 7: decompressing the dcrat malware\r\nThe decrypted DCRAT consist of a loader and 2 .dll (32 bit \u0026 64 bit)  that will be injected to explorer.exe.\r\nhttps://tccontre.blogspot.com/2019/10/dcrat-malware-evades-sandbox-that-use.html\r\nPage 3 of 7\n\nfigure 8: DCRAT malware\r\nConclusion:\r\nThis malware show a simple way how to detect internet connection during its execution and also evading the\r\nsandbox that are using fake internet. I know that this trick is quite easy to overcome by malware analyst but good\r\nto know to improve automation and blackbox testing. :)\r\nsha1:563d9f1b35b4898d16aff1dccd8969299f7ab8b7\r\nmd5: b478d340a787b85e086cc951d0696cb1\r\nIOC and strings: \r\n35840:%ls\r\n35866:RGlobal\\TIME_MANAGER\r\n35908:SeDebugPrivilege\r\n35942:services.exe\r\n35968:explorer.exe\r\n36012:RSoftware\r\n36032:ClientID\r\n36068:Rntdll.dll\r\n36124:RROOT\\CIMV2\r\n36148:SELECT * FROM Win32_ComputerSystem\r\n36218:WQL\r\n36226:Manufacturer\r\nhttps://tccontre.blogspot.com/2019/10/dcrat-malware-evades-sandbox-that-use.html\r\nPage 4 of 7\n\n36252:VMWare\r\n36266:Xen\r\n36274:innotek GmbH\r\n36300:QEMU\r\n36310:Model\r\n36322:VirtualBox\r\n36344:HVM domU\r\n36364:SELECT * FROM Win32_BIOS\r\n36414:SerialNumber\r\n36440:Virtual\r\n36456:A M I\r\n36468:178.21.11.90\r\n36496:151.248.116.134\r\n36528:37.140.199.65\r\n36556:194.58.92.63\r\n36584:hfjdhfgrhfnghvng.ru\r\n36634:%ls\r\n105220:HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\r\n105314:~MHz\r\n105324:opencl.dll\r\n105346:ProgramFiles\r\n105372:%ls\\NVIDIA Corporation\\NVSMI\\nvml.dll\r\n105484:ALLUSERSPROFILE\r\n105516:Time Manager\r\n105542:%ls\\%ls\\%ls\r\n105568:TimeManager.exe\r\n105606:%ls\\%ls\r\n105622:%ls\\%ls\\*\r\n105642:%ls32\r\n105654:svchost.exe\r\n105678:auto_\r\n105724:Global\\TIME_MANAGER\r\n105778:RSoftware\r\n105798:ClientID\r\n105830:Rntdll.dll\r\n105886:ntdll.dll\r\n105930:skernel32.dll\r\n105980:SeTcbPrivilege\r\n106012:winsta0\\default\r\n106066:SystemRoot\r\n106088:%s\\system32\\svchost.exe\r\n106136:TEMP\r\nhttps://tccontre.blogspot.com/2019/10/dcrat-malware-evades-sandbox-that-use.html\r\nPage 5 of 7\n\n106146:%s\\svchost.exe\r\n106196:Windows Time Manager\r\n106238:w32tm\r\n106252:Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\n106344:178.21.11.90\r\n106372:151.248.116.134\r\n106404:37.140.199.65\r\n106432:194.58.92.63\r\n106460:hfjdhfgrhfnghvng.ru\r\n106510:%ls\r\n183048:HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\r\n183142:~MHz\r\n183152:opencl.dll\r\n183174:ProgramFiles\r\n183200:%ls\\NVIDIA Corporation\\NVSMI\\nvml.dll\r\n183312:ALLUSERSPROFILE\r\n183344:%ls\\%ls\\%ls\r\n183368:Time Manager\r\n183400:TimeManager.exe\r\n183438:%ls\\%ls\r\n183454:%ls\\%ls\\*\r\n183474:%ls64\r\n183486:svchost.exe\r\n183510:auto_\r\n183560:Global\\TIME_MANAGER\r\n183622:RSoftware\r\n183642:ClientID\r\n183686:Rntdll.dll\r\n183754:ntdll.dll\r\n183798:skernel32.dll\r\n183848:SeTcbPrivilege\r\n183880:winsta0\\default\r\n183934:SystemRoot\r\n183960:%s\\system32\\svchost.exe\r\n184008:TEMP\r\n184018:%s\\svchost.exe\r\n184080:Windows Time Manager\r\n184122:w32tm\r\n184136:Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\n184232:178.21.11.90\r\n184264:185.146.157.143\r\n184296:37.140.199.65\r\nhttps://tccontre.blogspot.com/2019/10/dcrat-malware-evades-sandbox-that-use.html\r\nPage 6 of 7\n\n184324:194.58.92.63\r\n184352:hfjdhfgrhfnghvng.ru\r\n184402:%ls\r\nSource: https://tccontre.blogspot.com/2019/10/dcrat-malware-evades-sandbox-that-use.html\r\nhttps://tccontre.blogspot.com/2019/10/dcrat-malware-evades-sandbox-that-use.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://tccontre.blogspot.com/2019/10/dcrat-malware-evades-sandbox-that-use.html"
	],
	"report_names": [
		"dcrat-malware-evades-sandbox-that-use.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434177,
	"ts_updated_at": 1775791328,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ddb7b22e647802f42776611d470777dfbfaacefb.pdf",
		"text": "https://archive.orkl.eu/ddb7b22e647802f42776611d470777dfbfaacefb.txt",
		"img": "https://archive.orkl.eu/ddb7b22e647802f42776611d470777dfbfaacefb.jpg"
	}
}