Edit tour
Windows
Analysis Report
13ZNp2xvRU.exe
Overview
General Information
| Sample name: | 13ZNp2xvRU.exerenamed because original name is a hash value |
| Original sample name: | 2519412bd469ce3de2888aa487be8f51.exe |
| Analysis ID: | 1430583 |
| MD5: | 2519412bd469ce3de2888aa487be8f51 |
| SHA1: | 91dd80c942023f360e81e27f4964504acb9bc4c5 |
| SHA256: | 7e98baea7a5b0d51143910cde4c5503ae15d55d6f88b4b840ae7fe79469ed12f |
| Tags: | DCRatexe |
| Infos: |   |
 | |
Detection
DCRat
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Yara detected DCRat
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
13ZNp2xvRU.exe (PID: 6544 cmdline: "C:\Users\ user\Deskt op\13ZNp2x vRU.exe" MD5: 2519412BD469CE3DE2888AA487BE8F51) - schtasks.exe (PID: 5216 cmdline:
schtasks.e xe /create /tn "RRVG fHJzvQMYfW eR" /sc MI NUTE /mo 6 /tr "'C:\ Recovery\R RVGfHJzvQM YfWe.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 6404 cmdline:
schtasks.e xe /create /tn "RRVG fHJzvQMYfW e" /sc ONL OGON /tr " 'C:\Recove ry\RRVGfHJ zvQMYfWe.e xe'" /rl H IGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 5800 cmdline:
schtasks.e xe /create /tn "RRVG fHJzvQMYfW eR" /sc MI NUTE /mo 7 /tr "'C:\ Recovery\R RVGfHJzvQM YfWe.exe'" /rl HIGHE ST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 2996 cmdline:
schtasks.e xe /create /tn "Regi stryR" /sc MINUTE /m o 7 /tr "' C:\Windows \twain_32\ Registry.e xe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 3496 cmdline:
schtasks.e xe /create /tn "Regi stry" /sc ONLOGON /t r "'C:\Win dows\twain _32\Regist ry.exe'" / rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 1900 cmdline:
schtasks.e xe /create /tn "Regi stryR" /sc MINUTE /m o 6 /tr "' C:\Windows \twain_32\ Registry.e xe'" /rl H IGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 6668 cmdline:
schtasks.e xe /create /tn "smar tscreens" /sc MINUTE /mo 7 /tr "'C:\User s\All User s\smartscr een.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 7052 cmdline:
schtasks.e xe /create /tn "smar tscreen" / sc ONLOGON /tr "'C:\ Users\All Users\smar tscreen.ex e'" /rl HI GHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 6376 cmdline:
schtasks.e xe /create /tn "smar tscreens" /sc MINUTE /mo 14 /t r "'C:\Use rs\All Use rs\smartsc reen.exe'" /rl HIGHE ST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 6984 cmdline:
schtasks.e xe /create /tn "RRVG fHJzvQMYfW eR" /sc MI NUTE /mo 1 2 /tr "'C: \Windows\P LA\Templat es\RRVGfHJ zvQMYfWe.e xe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 2996 cmdline:
schtasks.e xe /create /tn "RRVG fHJzvQMYfW e" /sc ONL OGON /tr " 'C:\Window s\PLA\Temp lates\RRVG fHJzvQMYfW e.exe'" /r l HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 3496 cmdline:
schtasks.e xe /create /tn "RRVG fHJzvQMYfW eR" /sc MI NUTE /mo 1 0 /tr "'C: \Windows\P LA\Templat es\RRVGfHJ zvQMYfWe.e xe'" /rl H IGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 1900 cmdline:
schtasks.e xe /create /tn "RRVG fHJzvQMYfW eR" /sc MI NUTE /mo 1 1 /tr "'C: \Program F iles (x86) \google\Up date\RRVGf HJzvQMYfWe .exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 6668 cmdline:
schtasks.e xe /create /tn "RRVG fHJzvQMYfW e" /sc ONL OGON /tr " 'C:\Progra m Files (x 86)\google \Update\RR VGfHJzvQMY fWe.exe'" /rl HIGHES T /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 7052 cmdline:
schtasks.e xe /create /tn "RRVG fHJzvQMYfW eR" /sc MI NUTE /mo 6 /tr "'C:\ Program Fi les (x86)\ google\Upd ate\RRVGfH JzvQMYfWe. exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 6432 cmdline:
schtasks.e xe /create /tn "User OOBEBroker U" /sc MIN UTE /mo 6 /tr "'C:\W indows\IME \IMETC\HEL P\UserOOBE Broker.exe '" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 2412 cmdline:
schtasks.e xe /create /tn "User OOBEBroker " /sc ONLO GON /tr "' C:\Windows \IME\IMETC \HELP\User OOBEBroker .exe'" /rl HIGHEST / f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 4080 cmdline:
schtasks.e xe /create /tn "User OOBEBroker U" /sc MIN UTE /mo 12 /tr "'C:\ Windows\IM E\IMETC\HE LP\UserOOB EBroker.ex e'" /rl HI GHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 3496 cmdline:
schtasks.e xe /create /tn "RRVG fHJzvQMYfW eR" /sc MI NUTE /mo 1 0 /tr "'C: \Recovery\ RRVGfHJzvQ MYfWe.exe' " /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 6736 cmdline:
schtasks.e xe /create /tn "RRVG fHJzvQMYfW e" /sc ONL OGON /tr " 'C:\Recove ry\RRVGfHJ zvQMYfWe.e xe'" /rl H IGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 6264 cmdline:
schtasks.e xe /create /tn "RRVG fHJzvQMYfW eR" /sc MI NUTE /mo 1 4 /tr "'C: \Recovery\ RRVGfHJzvQ MYfWe.exe' " /rl HIGH EST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 6572 cmdline:
schtasks.e xe /create /tn "RRVG fHJzvQMYfW eR" /sc MI NUTE /mo 1 0 /tr "'C: \Program F iles (x86) \java\RRVG fHJzvQMYfW e.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 5844 cmdline:
schtasks.e xe /create /tn "RRVG fHJzvQMYfW e" /sc ONL OGON /tr " 'C:\Progra m Files (x 86)\java\R RVGfHJzvQM YfWe.exe'" /rl HIGHE ST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 3260 cmdline:
schtasks.e xe /create /tn "RRVG fHJzvQMYfW eR" /sc MI NUTE /mo 9 /tr "'C:\ Program Fi les (x86)\ java\RRVGf HJzvQMYfWe .exe'" /rl HIGHEST / f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 2996 cmdline:
schtasks.e xe /create /tn "font drvhostf" /sc MINUTE /mo 12 /t r "'C:\Win dows\Panth er\setup.e xe\fontdrv host.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 3608 cmdline:
schtasks.e xe /create /tn "font drvhost" / sc ONLOGON /tr "'C:\ Windows\Pa nther\setu p.exe\font drvhost.ex e'" /rl HI GHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 6400 cmdline:
schtasks.e xe /create /tn "font drvhostf" /sc MINUTE /mo 13 /t r "'C:\Win dows\Panth er\setup.e xe\fontdrv host.exe'" /rl HIGHE ST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - RRVGfHJzvQMYfWe.exe (PID: 6376 cmdline:
"C:\Progra m Files (x 86)\google \Update\RR VGfHJzvQMY fWe.exe" MD5: 2519412BD469CE3DE2888AA487BE8F51)
- fontdrvhost.exe (PID: 2504 cmdline:
C:\Windows \Panther\s etup.exe\f ontdrvhost .exe MD5: 2519412BD469CE3DE2888AA487BE8F51)
- fontdrvhost.exe (PID: 6260 cmdline:
C:\Windows \Panther\s etup.exe\f ontdrvhost .exe MD5: 2519412BD469CE3DE2888AA487BE8F51)
- Registry.exe (PID: 7188 cmdline:
C:\Windows \twain_32\ Registry.e xe MD5: 2519412BD469CE3DE2888AA487BE8F51)
- Registry.exe (PID: 7224 cmdline:
C:\Windows \twain_32\ Registry.e xe MD5: 2519412BD469CE3DE2888AA487BE8F51)
- RRVGfHJzvQMYfWe.exe (PID: 7260 cmdline:
"C:\Progra m Files (x 86)\java\R RVGfHJzvQM YfWe.exe" MD5: 2519412BD469CE3DE2888AA487BE8F51)
- RRVGfHJzvQMYfWe.exe (PID: 7292 cmdline:
"C:\Progra m Files (x 86)\java\R RVGfHJzvQM YfWe.exe" MD5: 2519412BD469CE3DE2888AA487BE8F51)
- smartscreen.exe (PID: 7340 cmdline:
"C:\Users\ All Users\ smartscree n.exe" MD5: 2519412BD469CE3DE2888AA487BE8F51)
- smartscreen.exe (PID: 7372 cmdline:
"C:\Users\ All Users\ smartscree n.exe" MD5: 2519412BD469CE3DE2888AA487BE8F51)
- UserOOBEBroker.exe (PID: 7396 cmdline:
C:\Windows \IME\IMETC \HELP\User OOBEBroker .exe MD5: 2519412BD469CE3DE2888AA487BE8F51)
- UserOOBEBroker.exe (PID: 7404 cmdline:
C:\Windows \IME\IMETC \HELP\User OOBEBroker .exe MD5: 2519412BD469CE3DE2888AA487BE8F51)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| DCRat | DCRat is a typical RAT that has been around since at least June 2019. | No Attribution |
{"SCRT": "{\"j\":\">\",\"l\":\";\",\"u\":\" \",\"W\":\"@\",\"V\":\".\",\"k\":\"-\",\"O\":\"*\",\"H\":\"#\",\"D\":\"%\",\"5\":\"`\",\"p\":\"~\",\"d\":\")\",\"A\":\",\",\"M\":\"!\",\"8\":\"<\",\"N\":\"&\",\"i\":\"$\",\"I\":\"^\",\"4\":\"|\",\"2\":\"(\",\"w\":\"_\"}", "PCRT": "{\"i\":\"(\",\"I\":\"@\",\"d\":\"_\",\"6\":\"^\",\"0\":\"$\",\"c\":\"!\",\"R\":\"%\",\"9\":\" \",\"j\":\"#\",\"w\":\")\",\"G\":\">\",\"y\":\"-\",\"Y\":\"*\",\"b\":\";\",\"l\":\"`\",\"=\":\".\",\"U\":\"<\",\"n\":\"~\",\"p\":\"|\",\"T\":\"&\",\"S\":\",\"}", "TAG": "", "MUTEX": "DCR_MUTEX-6cV1joJwieGuWPhbIJ4v", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false, "H1": "http://45.130.42.16/6/api144/9Wp/@0xWdhZWZkRWYvx2ZpJUdwNWb2V2Zh1WS", "H2": "http://45.130.42.16/6/api144/9Wp/@0xWdhZWZkRWYvx2ZpJUdwNWb2V2Zh1WS", "T": "0"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
| JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
| JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
| JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
| JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
| Click to see the 28 entries | ||||
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems), Tim Shelton: | ||
| Source: | Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: | ||
Persistence and Installation Behavior | |
|---|
| Source: | Author: Joe Security: | ||
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
Networking | |
|---|
| Source: | URLs: | ||
| Source: | ASN Name: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||