Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
o9jDrpZrgR.exe

Overview

General Information

Sample Name:o9jDrpZrgR.exe
Original Sample Name:c256204deb01c77e21ba17b5e2411245.exe
Analysis ID:1345582
MD5:c256204deb01c77e21ba17b5e2411245
SHA1:95ae7fb9f6710368e44a3c4e839d3d7bebbd4d5e
SHA256:f594822a45b8561a9b7a2e2ecf17558a692b1a193cf231617ba1b222723ca3ab
Tags:DCRatexe
Infos:

Detection

DCRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Snort IDS alert for network traffic
Yara detected DCRat
Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for dropped file
Machine Learning detection for sample
.NET source code contains potential unpacker
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
.NET source code contains very large strings
Machine Learning detection for dropped file
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to communicate with device drivers
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Enables debug privileges
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
File is packed with WinRar
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Found WSH timer for Javascript or VBS script (likely evasive script)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Classification

  • System is w10x64
  • o9jDrpZrgR.exe (PID: 4308 cmdline: C:\Users\user\Desktop\o9jDrpZrgR.exe MD5: C256204DEB01C77E21BA17B5E2411245)
    • wscript.exe (PID: 5356 cmdline: "C:\Windows\System32\WScript.exe" "C:\reviewruntimeMonitor\oYwPDBVe3AuHG3t6JLon5FNZVJrzPzwK1qz3t5qd93gftXcSil5zO.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
      • cmd.exe (PID: 2520 cmdline: C:\Windows\system32\cmd.exe /c ""C:\reviewruntimeMonitor\XfrEwTdqjpljDpai91jT4EKzapK.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 2464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • BlockrefBrokerperf.exe (PID: 5520 cmdline: C:\reviewruntimeMonitor/BlockrefBrokerperf.exe MD5: 295BF8D9B734730EFA567C8DA9918FE1)
          • cmd.exe (PID: 5000 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\XJsEcPfXWC.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 4332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • chcp.com (PID: 3664 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
            • PING.EXE (PID: 2468 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)
            • qBJICEqiLNwXNBLrN.exe (PID: 6604 cmdline: "C:\Users\user\Contacts\qBJICEqiLNwXNBLrN.exe" MD5: 295BF8D9B734730EFA567C8DA9918FE1)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
o9jDrpZrgR.exeJoeSecurity_DCRat_1Yara detected DCRatJoe Security
    SourceRuleDescriptionAuthorStrings
    C:\Program Files\Microsoft Office 15\ClientX64\qBJICEqiLNwXNBLrN.exeJoeSecurity_DCRat_1Yara detected DCRatJoe Security
      C:\Program Files (x86)\Microsoft.NET\RedistList\conhost.exeJoeSecurity_DCRat_1Yara detected DCRatJoe Security
        C:\Program Files\Microsoft Office 15\ClientX64\qBJICEqiLNwXNBLrN.exeJoeSecurity_DCRat_1Yara detected DCRatJoe Security
          C:\reviewruntimeMonitor\BlockrefBrokerperf.exeJoeSecurity_DCRat_1Yara detected DCRatJoe Security
            C:\Program Files\Microsoft Office 15\ClientX64\qBJICEqiLNwXNBLrN.exeJoeSecurity_DCRat_1Yara detected DCRatJoe Security
              Click to see the 1 entries
              SourceRuleDescriptionAuthorStrings
              00000000.00000003.2000894449.0000000004DA6000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                0000000C.00000002.3242734675.0000000002D45000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                  00000000.00000003.2000527838.0000000006E2F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                    00000005.00000000.2180051762.0000000000FC2000.00000002.00000001.01000000.0000000A.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                      00000000.00000003.1999993579.0000000006524000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                        Click to see the 3 entries
                        SourceRuleDescriptionAuthorStrings
                        0.3.o9jDrpZrgR.exe.6e7d70c.1.raw.unpackJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                          0.3.o9jDrpZrgR.exe.657270c.0.unpackJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                            0.3.o9jDrpZrgR.exe.657270c.0.raw.unpackJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                              5.0.BlockrefBrokerperf.exe.fc0000.0.unpackJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                                0.3.o9jDrpZrgR.exe.6e7d70c.1.unpackJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                                  No Sigma rule has matched
                                  Timestamp:192.168.2.577.91.124.10149712802048095 11/21/23-04:47:24.543305
                                  SID:2048095
                                  Source Port:49712
                                  Destination Port:80
                                  Protocol:TCP
                                  Classtype:A Network Trojan was detected

                                  Click to jump to signature section

                                  Show All Signature Results

                                  AV Detection

                                  barindex
                                  Source: C:\Program Files\Microsoft Office 15\ClientX64\qBJICEqiLNwXNBLrN.exeAvira: detection malicious, Label: HEUR/AGEN.1309961
                                  Source: C:\Program Files\Microsoft Office 15\ClientX64\qBJICEqiLNwXNBLrN.exeAvira: detection malicious, Label: HEUR/AGEN.1309961
                                  Source: C:\Users\user\Desktop\KWPomPtF.logAvira: detection malicious, Label: HEUR/AGEN.1300079
                                  Source: C:\Program Files (x86)\Microsoft.NET\RedistList\conhost.exeAvira: detection malicious, Label: HEUR/AGEN.1309961
                                  Source: C:\Users\user\Desktop\BnwYCmoX.logAvira: detection malicious, Label: HEUR/AGEN.1300079
                                  Source: C:\Users\user\Desktop\HJnNqbKj.logAvira: detection malicious, Label: HEUR/AGEN.1300079
                                  Source: C:\Users\user\AppData\Local\Temp\XJsEcPfXWC.batAvira: detection malicious, Label: BAT/Runner.IK
                                  Source: C:\Users\user\Desktop\MTqwIPIz.logAvira: detection malicious, Label: HEUR/AGEN.1300079
                                  Source: C:\Users\user\Desktop\qtmQsFEO.logAvira: detection malicious, Label: HEUR/AGEN.1300079
                                  Source: C:\Program Files\Microsoft Office 15\ClientX64\qBJICEqiLNwXNBLrN.exeAvira: detection malicious, Label: HEUR/AGEN.1309961
                                  Source: C:\Program Files\Microsoft Office 15\ClientX64\qBJICEqiLNwXNBLrN.exeAvira: detection malicious, Label: HEUR/AGEN.1309961
                                  Source: C:\Users\user\Desktop\pwLIWFpU.logAvira: detection malicious, Label: HEUR/AGEN.1300079
                                  Source: o9jDrpZrgR.exeReversingLabs: Detection: 65%
                                  Source: o9jDrpZrgR.exeVirustotal: Detection: 69%Perm