Edit tour
Windows
Analysis Report
4c6fK85tK7.exe
Overview
General Information
Sample name: | 4c6fK85tK7.exerenamed because original name is a hash value |
Original sample name: | 68DFE1E08B8CC7D19FF72334FDD09DB8.exe |
Analysis ID: | 1431492 |
MD5: | 68dfe1e08b8cc7d19ff72334fdd09db8 |
SHA1: | 34fb36f9b553c26b0753f540b6a8af1760bb74dc |
SHA256: | a5f4363625928d7fb64087212bd9d094972260739b274f44b53bbbd5be6d19b7 |
Tags: | DCRatexe |
Infos: | |
Detection
DCRat
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected DCRat
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Disable UAC(promptonsecuredesktop)
Disables UAC (registry)
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
- 4c6fK85tK7.exe (PID: 6692 cmdline:
"C:\Users\ user\Deskt op\4c6fK85 tK7.exe" MD5: 68DFE1E08B8CC7D19FF72334FDD09DB8) - yberLoad.exe (PID: 4588 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\ yberL oad.exe" MD5: A84070968353EDCC9559F54DEEDD8FE9) - MVPLoader.exe (PID: 6768 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\MVPLoa der.exe" MD5: F1F43CF5A79E51BA13EF602B25C63A9E) - CyberLoader.exe (PID: 5284 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\CyberL oader.exe" MD5: 1B4CF2A40E1387CF97DFBE1303C9619A) - wscript.exe (PID: 7188 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\ms PortRefnet dhcp\zRMFc MzN1094wnG durNck4fGl t.vbe" MD5: FF00E0480075B095948000BDC66E81F0) - cmd.exe (PID: 7300 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\msPo rtRefnetdh cp\m6JlOKD KnmGOe6a.b at" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7308 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - componentWininto.exe (PID: 7352 cmdline:
"C:\msPort Refnetdhcp \component Wininto.ex e" MD5: 53758CEA18D59182A809208313D5042A) - schtasks.exe (PID: 7828 cmdline:
schtasks.e xe /create /tn "WmiP rvSEW" /sc MINUTE /m o 9 /tr "' C:\Users\D efault Use r\Download s\WmiPrvSE .exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 7844 cmdline:
schtasks.e xe /create /tn "WmiP rvSE" /sc ONLOGON /t r "'C:\Use rs\Default User\Down loads\WmiP rvSE.exe'" /rl HIGHE ST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 7860 cmdline:
schtasks.e xe /create /tn "WmiP rvSEW" /sc MINUTE /m o 11 /tr " 'C:\Users\ Default Us er\Downloa ds\WmiPrvS E.exe'" /r l HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 7876 cmdline:
schtasks.e xe /create /tn "zufs VvjyWcGfJF z" /sc MIN UTE /mo 13 /tr "'C:\ Recovery\z ufsVvjyWcG fJF.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - conhost.exe (PID: 8044 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 7892 cmdline:
schtasks.e xe /create /tn "zufs VvjyWcGfJF " /sc ONLO GON /tr "' C:\Recover y\zufsVvjy WcGfJF.exe '" /rl HIG HEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 7908 cmdline:
schtasks.e xe /create /tn "zufs VvjyWcGfJF z" /sc MIN UTE /mo 14 /tr "'C:\ Recovery\z ufsVvjyWcG fJF.exe'" /rl HIGHES T /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 7924 cmdline:
schtasks.e xe /create /tn "zufs VvjyWcGfJF z" /sc MIN UTE /mo 11 /tr "'C:\ Windows\Sh ellCompone nts\zufsVv jyWcGfJF.e xe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 7940 cmdline:
schtasks.e xe /create /tn "zufs VvjyWcGfJF " /sc ONLO GON /tr "' C:\Windows \ShellComp onents\zuf sVvjyWcGfJ F.exe'" /r l HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 7956 cmdline:
schtasks.e xe /create /tn "zufs VvjyWcGfJF z" /sc MIN UTE /mo 6 /tr "'C:\W indows\She llComponen ts\zufsVvj yWcGfJF.ex e'" /rl HI GHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - cmd.exe (PID: 7988 cmdline:
"C:\Window s\System32 \cmd.exe" /C "C:\Use rs\user\Ap pData\Loca l\Temp\Eun sIO9tk2.ba t" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7996 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - w32tm.exe (PID: 8040 cmdline:
w32tm /str ipchart /c omputer:lo calhost /p eriod:5 /d ataonly /s amples:2 MD5: 81A82132737224D324A3E8DA993E2FB5) - zufsVvjyWcGfJF.exe (PID: 7896 cmdline:
"C:\Window s\ShellCom ponents\zu fsVvjyWcGf JF.exe" MD5: 53758CEA18D59182A809208313D5042A) - wscript.exe (PID: 7228 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\ms PortRefnet dhcp\file. vbs" MD5: FF00E0480075B095948000BDC66E81F0)
- zufsVvjyWcGfJF.exe (PID: 8088 cmdline:
C:\Windows \ShellComp onents\zuf sVvjyWcGfJ F.exe MD5: 53758CEA18D59182A809208313D5042A)
- zufsVvjyWcGfJF.exe (PID: 8120 cmdline:
C:\Windows \ShellComp onents\zuf sVvjyWcGfJ F.exe MD5: 53758CEA18D59182A809208313D5042A)
- wscript.exe (PID: 7904 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Loc al\Temp\6e ef2b35-f57 7-4ffd-aaf d-9efeb854 39f2.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - WmiPrvSE.exe (PID: 8044 cmdline:
"C:\Users\ Default Us er\Downloa ds\WmiPrvS E.exe" MD5: 53758CEA18D59182A809208313D5042A) - wscript.exe (PID: 8124 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Loc al\Temp\e9 9985a1-94f c-4281-b02 a-ceb1639f 4b4a.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - WmiPrvSE.exe (PID: 2992 cmdline:
"C:\Users\ Default Us er\Downloa ds\WmiPrvS E.exe" MD5: 53758CEA18D59182A809208313D5042A) - wscript.exe (PID: 4128 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Loc al\Temp\1a d27169-68a 1-4284-b3a 4-ab1d4664 0beb.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - WmiPrvSE.exe (PID: 6112 cmdline:
"C:\Users\ Default Us er\Downloa ds\WmiPrvS E.exe" MD5: 53758CEA18D59182A809208313D5042A) - wscript.exe (PID: 6440 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Loc al\Temp\d3 65112d-c48 1-40f0-92b b-6621c117 33c0.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - WmiPrvSE.exe (PID: 4076 cmdline:
"C:\Users\ Default Us er\Downloa ds\WmiPrvS E.exe" MD5: 53758CEA18D59182A809208313D5042A) - wscript.exe (PID: 6572 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Loc al\Temp\c3 27c276-705 1-4e25-8eb 9-181648a7 a409.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - wscript.exe (PID: 7096 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Loc al\Temp\d0 96c949-588 b-4f62-903 5-9022be10 0ad8.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - wscript.exe (PID: 8168 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Loc al\Temp\63 34e2d8-afe d-41d5-8a9 a-b81dc662 bd51.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
- wscript.exe (PID: 3668 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Loc al\Temp\da 4d56e5-dd2 5-4b11-bec 9-392111f2 ec60.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
DCRat | DCRat is a typical RAT that has been around since at least June 2019. | No Attribution |
{"SCRT": "{\"C\":\"#\",\"L\":\"~\",\"9\":\"(\",\"Z\":\"`\",\"J\":\"@\",\"k\":\"_\",\"N\":\"!\",\"a\":\"$\",\"i\":\"*\",\"M\":\">\",\"4\":\"^\",\"0\":\",\",\"h\":\"|\",\"E\":\";\",\"A\":\"-\",\"I\":\"%\",\"d\":\"&\",\"n\":\".\",\"H\":\")\",\"m\":\" \",\"V\":\"<\"}", "PCRT": "{\"M\":\"%\",\"B\":\"&\",\"Z\":\"^\",\"W\":\"|\",\"R\":\"`\",\"t\":\",\",\"5\":\"~\",\"Q\":\"-\",\"z\":\"$\",\"F\":\"*\",\"d\":\")\",\"U\":\"<\",\"E\":\">\",\"I\":\"@\",\"m\":\"#\",\"v\":\"_\",\"G\":\"!\",\"j\":\".\",\"V\":\";\",\"N\":\" \",\"2\":\"(\"}", "TAG": "", "MUTEX": "DCR_MUTEX-DSAHi0MzOtJS6OWpXdgD", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false, "H1": "http://a0947291.xsph.ru/@=kTYjFmNwYTM", "H2": "http://a0947291.xsph.ru/@=kTYjFmNwYTM", "T": "0"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
Click to see the 14 entries |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems), Tim Shelton: |
Source: | Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems), Tim Shelton: |
Source: | Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: |
Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: |
Source: | Author: Michael Haag: |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 3_2_0027A5F4 | |
Source: | Code function: | 3_2_0028B8E0 |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Networking |
---|
Source: | URLs: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |