Edit tour
Windows
Analysis Report
Mt6QkZnVbc.exe
Overview
General Information
Sample name: | Mt6QkZnVbc.exerenamed because original name is a hash value |
Original sample name: | 49267a1e4c9cbb955209690e1d82d1d1.exe |
Analysis ID: | 1427111 |
MD5: | 49267a1e4c9cbb955209690e1d82d1d1 |
SHA1: | 47fb7d48398a2049f84c4a68c96ea5ac27513cbe |
SHA256: | 1fbcb895a6e34fb2a307c0c9896b7922ea723e5eea183fa319c0142c5a761fdf |
Tags: | DCRatexe |
Infos: | |
Detection
DCRat
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected DCRat
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Disable UAC(promptonsecuredesktop)
Disables UAC (registry)
Drops PE files with benign system names
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
- Mt6QkZnVbc.exe (PID: 7288 cmdline:
"C:\Users\ user\Deskt op\Mt6QkZn Vbc.exe" MD5: 49267A1E4C9CBB955209690E1D82D1D1) - schtasks.exe (PID: 7720 cmdline:
schtasks.e xe /create /tn "serv icess" /sc MINUTE /m o 13 /tr " 'C:\Recove ry\service s.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 7744 cmdline:
schtasks.e xe /create /tn "serv ices" /sc ONLOGON /t r "'C:\Rec overy\serv ices.exe'" /rl HIGHE ST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 7760 cmdline:
schtasks.e xe /create /tn "serv icess" /sc MINUTE /m o 6 /tr "' C:\Recover y\services .exe'" /rl HIGHEST / f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 7784 cmdline:
schtasks.e xe /create /tn "BxpX DwLzzgPDKk wHFtsUbGgA jnB" /sc M INUTE /mo 11 /tr "'C :\Program Files (x86 )\windows mail\BxpXD wLzzgPDKkw HFtsUbGgAj n.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 7800 cmdline:
schtasks.e xe /create /tn "BxpX DwLzzgPDKk wHFtsUbGgA jn" /sc ON LOGON /tr "'C:\Progr am Files ( x86)\windo ws mail\Bx pXDwLzzgPD KkwHFtsUbG gAjn.exe'" /rl HIGHE ST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 7820 cmdline:
schtasks.e xe /create /tn "BxpX DwLzzgPDKk wHFtsUbGgA jnB" /sc M INUTE /mo 11 /tr "'C :\Program Files (x86 )\windows mail\BxpXD wLzzgPDKkw HFtsUbGgAj n.exe'" /r l HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 7836 cmdline:
schtasks.e xe /create /tn "dwmd " /sc MINU TE /mo 8 / tr "'C:\Re covery\dwm .exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 7852 cmdline:
schtasks.e xe /create /tn "dwm" /sc ONLOG ON /tr "'C :\Recovery \dwm.exe'" /rl HIGHE ST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 7880 cmdline:
schtasks.e xe /create /tn "dwmd " /sc MINU TE /mo 11 /tr "'C:\R ecovery\dw m.exe'" /r l HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 7904 cmdline:
schtasks.e xe /create /tn "BxpX DwLzzgPDKk wHFtsUbGgA jnB" /sc M INUTE /mo 10 /tr "'C :\Windows\ SKB\Langua geModels\B xpXDwLzzgP DKkwHFtsUb GgAjn.exe' " /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 7932 cmdline:
schtasks.e xe /create /tn "BxpX DwLzzgPDKk wHFtsUbGgA jn" /sc ON LOGON /tr "'C:\Windo ws\SKB\Lan guageModel s\BxpXDwLz zgPDKkwHFt sUbGgAjn.e xe'" /rl H IGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 7952 cmdline:
schtasks.e xe /create /tn "BxpX DwLzzgPDKk wHFtsUbGgA jnB" /sc M INUTE /mo 6 /tr "'C: \Windows\S KB\Languag eModels\Bx pXDwLzzgPD KkwHFtsUbG gAjn.exe'" /rl HIGHE ST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 7996 cmdline:
schtasks.e xe /create /tn "BxpX DwLzzgPDKk wHFtsUbGgA jnB" /sc M INUTE /mo 10 /tr "'C :\Program Files\Wind ows Portab le Devices \BxpXDwLzz gPDKkwHFts UbGgAjn.ex e'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 8016 cmdline:
schtasks.e xe /create /tn "BxpX DwLzzgPDKk wHFtsUbGgA jn" /sc ON LOGON /tr "'C:\Progr am Files\W indows Por table Devi ces\BxpXDw LzzgPDKkwH FtsUbGgAjn .exe'" /rl HIGHEST / f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 8068 cmdline:
schtasks.e xe /create /tn "BxpX DwLzzgPDKk wHFtsUbGgA jnB" /sc M INUTE /mo 13 /tr "'C :\Program Files\Wind ows Portab le Devices \BxpXDwLzz gPDKkwHFts UbGgAjn.ex e'" /rl HI GHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 8096 cmdline:
schtasks.e xe /create /tn "User OOBEBroker U" /sc MIN UTE /mo 12 /tr "'C:\ Windows\Se rviceProfi les\LocalS ervice\Des ktop\UserO OBEBroker. exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 8116 cmdline:
schtasks.e xe /create /tn "User OOBEBroker " /sc ONLO GON /tr "' C:\Windows \ServicePr ofiles\Loc alService\ Desktop\Us erOOBEBrok er.exe'" / rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 8156 cmdline:
schtasks.e xe /create /tn "User OOBEBroker U" /sc MIN UTE /mo 14 /tr "'C:\ Windows\Se rviceProfi les\LocalS ervice\Des ktop\UserO OBEBroker. exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 1432 cmdline:
schtasks.e xe /create /tn "BxpX DwLzzgPDKk wHFtsUbGgA jnB" /sc M INUTE /mo 7 /tr "'C: \Program F iles (x86) \google\Bx pXDwLzzgPD KkwHFtsUbG gAjn.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 5460 cmdline:
schtasks.e xe /create /tn "BxpX DwLzzgPDKk wHFtsUbGgA jn" /sc ON LOGON /tr "'C:\Progr am Files ( x86)\googl e\BxpXDwLz zgPDKkwHFt sUbGgAjn.e xe'" /rl H IGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 2852 cmdline:
schtasks.e xe /create /tn "BxpX DwLzzgPDKk wHFtsUbGgA jnB" /sc M INUTE /mo 7 /tr "'C: \Program F iles (x86) \google\Bx pXDwLzzgPD KkwHFtsUbG gAjn.exe'" /rl HIGHE ST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 4944 cmdline:
schtasks.e xe /create /tn "siho sts" /sc M INUTE /mo 5 /tr "'C: \Recovery\ sihost.exe '" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 6976 cmdline:
schtasks.e xe /create /tn "siho st" /sc ON LOGON /tr "'C:\Recov ery\sihost .exe'" /rl HIGHEST / f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 7344 cmdline:
schtasks.e xe /create /tn "siho sts" /sc M INUTE /mo 5 /tr "'C: \Recovery\ sihost.exe '" /rl HIG HEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - UserOOBEBroker.exe (PID: 2504 cmdline:
"C:\Window s\ServiceP rofiles\Lo calService \Desktop\U serOOBEBro ker.exe" MD5: 49267A1E4C9CBB955209690E1D82D1D1)
- BxpXDwLzzgPDKkwHFtsUbGgAjn.exe (PID: 7896 cmdline:
"C:\Progra m Files (x 86)\window s mail\Bxp XDwLzzgPDK kwHFtsUbGg Ajn.exe" MD5: 49267A1E4C9CBB955209690E1D82D1D1)
- BxpXDwLzzgPDKkwHFtsUbGgAjn.exe (PID: 7920 cmdline:
"C:\Progra m Files (x 86)\window s mail\Bxp XDwLzzgPDK kwHFtsUbGg Ajn.exe" MD5: 49267A1E4C9CBB955209690E1D82D1D1)
- dwm.exe (PID: 7960 cmdline:
C:\Recover y\dwm.exe MD5: 49267A1E4C9CBB955209690E1D82D1D1)
- dwm.exe (PID: 7980 cmdline:
C:\Recover y\dwm.exe MD5: 49267A1E4C9CBB955209690E1D82D1D1)
- services.exe (PID: 8024 cmdline:
C:\Recover y\services .exe MD5: 49267A1E4C9CBB955209690E1D82D1D1)
- services.exe (PID: 8076 cmdline:
C:\Recover y\services .exe MD5: 49267A1E4C9CBB955209690E1D82D1D1)
- sihost.exe (PID: 7820 cmdline:
C:\Recover y\sihost.e xe MD5: 49267A1E4C9CBB955209690E1D82D1D1)
- sihost.exe (PID: 7836 cmdline:
C:\Recover y\sihost.e xe MD5: 49267A1E4C9CBB955209690E1D82D1D1)
- UserOOBEBroker.exe (PID: 7912 cmdline:
C:\Windows \ServicePr ofiles\Loc alService\ Desktop\Us erOOBEBrok er.exe MD5: 49267A1E4C9CBB955209690E1D82D1D1)
- UserOOBEBroker.exe (PID: 7952 cmdline:
C:\Windows \ServicePr ofiles\Loc alService\ Desktop\Us erOOBEBrok er.exe MD5: 49267A1E4C9CBB955209690E1D82D1D1)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
DCRat | DCRat is a typical RAT that has been around since at least June 2019. | No Attribution |
{"SCRT": "{\"b\":\"-\",\"B\":\"^\",\"1\":\",\",\"a\":\"@\",\"I\":\" \",\"2\":\";\",\"T\":\"&\",\"L\":\"<\",\"z\":\"~\",\"j\":\"%\",\"M\":\"$\",\"w\":\"!\",\"S\":\"`\",\"y\":\"_\",\"F\":\"|\",\"k\":\"(\",\"J\":\"#\",\"u\":\")\",\"W\":\"*\",\"n\":\".\",\"O\":\">\"}", "PCRT": "{\"U\":\"(\",\"J\":\"&\",\"M\":\"#\",\"N\":\"!\",\"G\":\",\",\"C\":\"~\",\"Y\":\";\",\"H\":\"-\",\"R\":\".\",\"D\":\" \",\"B\":\"%\",\"p\":\"<\",\"W\":\"$\",\"h\":\")\",\"I\":\"|\",\"F\":\"^\",\"5\":\"_\",\"Q\":\"*\",\"Z\":\">\",\"n\":\"`\",\"e\":\"@\"}", "TAG": "", "MUTEX": "DCR_MUTEX-ePGv71Xi6eHATgLCXbMW", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 1, "AUR": 1, "AURD": "{C:}/Program Files/WinRAR", "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false, "H1": "http://a0941979.xsph.ru/@zd3bk5Wa3RHb1FmZlR0X", "H2": "http://a0941979.xsph.ru/@zd3bk5Wa3RHb1FmZlR0X", "T": "0"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
MALWARE_Win_DCRat | DCRat payload | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
MALWARE_Win_DCRat | DCRat payload | ditekSHen |
| |
JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
Click to see the 46 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
Click to see the 26 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
MALWARE_Win_DCRat | DCRat payload | ditekSHen |
|
System Summary |
---|
Source: | Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: |
Source: | Author: vburov: |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Directory created: | Jump to behavior | ||
Source: | Directory created: | Jump to behavior | ||
Source: | Directory created: | Jump to behavior |
Source: | Static PE information: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Networking |
---|
Source: | URLs: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Long String: |
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior |
Source: | File deleted: | Jump to behavior |
Source: | Code function: | 0_2_00007FFD9B8790B4 | |
Source: | Code function: | 0_2_00007FFD9B88309D | |
Source: | Code function: | 0_2_00007FFD9B870F80 | |
Source: | Code function: | 13_2_00007FFD9B8B0F88 | |
Source: | Code function: | 15_2_00007FFD9B8A5141 | |
Source: | Code function: | 18_2_00007FFD9B890F88 | |
Source: | Code function: | 19_2_00007FFD9B8A0F88 | |
Source: | Code function: | 22_2_00007FFD9B8A5141 | |
Source: | Code function: | 24_2_00007FFD9B875141 | |
Source: | Code function: | 35_2_00007FFD9B895141 | |
Source: | Code function: | 36_2_00007FFD9B8B5141 | |
Source: | Code function: | 37_2_00007FFD9B8A5141 | |
Source: | Code function: | 38_2_00007FFD9B895141 | |
Source: | Code function: | 39_2_00007FFD9B8A5141 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: |
Source: | Base64 encoded string: | ||
Source: | Base64 encoded string: | ||
Source: | Base64 encoded string: |