Edit tour
Windows
Analysis Report
yX8787W7de.exe
Overview
General Information
Sample name: | yX8787W7de.exerenamed because original name is a hash value |
Original sample name: | 10f54a1a68bce057dc9abbc2851a6235.exe |
Analysis ID: | 1431967 |
MD5: | 10f54a1a68bce057dc9abbc2851a6235 |
SHA1: | aa70b6be5f6e35655d0a5e25c450b47f4a23ffd0 |
SHA256: | d0be212a60bf7479492be23497cf0e933b8c6fda4e68b0d9724c7dc18e30fa37 |
Tags: | DCRatexe |
Infos: | |
Detection
DCRat, PureLog Stealer, zgRAT
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Creates processes via WMI
Drops executable to a common third party application directory
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Compiles C# or VB.Net code
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
- yX8787W7de.exe (PID: 6596 cmdline:
"C:\Users\ user\Deskt op\yX8787W 7de.exe" MD5: 10F54A1A68BCE057DC9ABBC2851A6235) - wscript.exe (PID: 1832 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\fo ntrefcrt\J fSdr.vbe" MD5: FF00E0480075B095948000BDC66E81F0) - cmd.exe (PID: 3744 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\font refcrt\YPm 3Ri0zuGSw0 d5cA9MOsCV gRsbtCEjXW kwqUVDQU6E x.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5848 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - MsintoRefcommonsvc.exe (PID: 5340 cmdline:
"C:\fontre fcrt/Msint oRefcommon svc.exe" MD5: 65F6B916C8BD52DDAD601807F96BC373) - schtasks.exe (PID: 6980 cmdline:
schtasks.e xe /create /tn "Syst emSettings S" /sc MIN UTE /mo 6 /tr "'C:\R ecovery\Sy stemSettin gs.exe'" / f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 2304 cmdline:
schtasks.e xe /create /tn "Syst emSettings " /sc ONLO GON /tr "' C:\Recover y\SystemSe ttings.exe '" /rl HIG HEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 6576 cmdline:
schtasks.e xe /create /tn "Syst emSettings S" /sc MIN UTE /mo 14 /tr "'C:\ Recovery\S ystemSetti ngs.exe'" /rl HIGHES T /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - csc.exe (PID: 3652 cmdline:
"C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\i0e0ny 4g\i0e0ny4 g.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66) - conhost.exe (PID: 5852 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cvtres.exe (PID: 6324 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RES4FAE.tm p" "c:\Win dows\Syste m32\CSCE4B 7E694399A4 3119EA8A93 F1E7760F4. TMP" MD5: C877CBB966EA5939AA2A17B6A5160950) - schtasks.exe (PID: 1832 cmdline:
schtasks.e xe /create /tn "SwjJ GfgwqbpLdP qvPFcqLsYS " /sc MINU TE /mo 9 / tr "'C:\Pr ogram File s\Internet Explorer\ en-US\SwjJ GfgwqbpLdP qvPFcqLsY. exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 1780 cmdline:
schtasks.e xe /create /tn "SwjJ GfgwqbpLdP qvPFcqLsY" /sc ONLOG ON /tr "'C :\Program Files\Inte rnet Explo rer\en-US\ SwjJGfgwqb pLdPqvPFcq LsY.exe'" /rl HIGHES T /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 5820 cmdline:
schtasks.e xe /create /tn "SwjJ GfgwqbpLdP qvPFcqLsYS " /sc MINU TE /mo 7 / tr "'C:\Pr ogram File s\Internet Explorer\ en-US\SwjJ GfgwqbpLdP qvPFcqLsY. exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 7100 cmdline:
schtasks.e xe /create /tn "conh ostc" /sc MINUTE /mo 14 /tr "' C:\Program Files (x8 6)\windows powershell \Configura tion\Schem a\conhost. exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 4420 cmdline:
schtasks.e xe /create /tn "conh ost" /sc O NLOGON /tr "'C:\Prog ram Files (x86)\wind owspowersh ell\Config uration\Sc hema\conho st.exe'" / rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - Conhost.exe (PID: 6980 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 6308 cmdline:
schtasks.e xe /create /tn "conh ostc" /sc MINUTE /mo 5 /tr "'C :\Program Files (x86 )\windowsp owershell\ Configurat ion\Schema \conhost.e xe'" /rl H IGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 928 cmdline:
schtasks.e xe /create /tn "WmiP rvSEW" /sc MINUTE /m o 14 /tr " 'C:\fontre fcrt\WmiPr vSE.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 5852 cmdline:
schtasks.e xe /create /tn "WmiP rvSE" /sc ONLOGON /t r "'C:\fon trefcrt\Wm iPrvSE.exe '" /rl HIG HEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 1984 cmdline:
schtasks.e xe /create /tn "WmiP rvSEW" /sc MINUTE /m o 5 /tr "' C:\fontref crt\WmiPrv SE.exe'" / rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 2304 cmdline:
schtasks.e xe /create /tn "SwjJ GfgwqbpLdP qvPFcqLsYS " /sc MINU TE /mo 10 /tr "'C:\R ecovery\Sw jJGfgwqbpL dPqvPFcqLs Y.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 7100 cmdline:
schtasks.e xe /create /tn "SwjJ GfgwqbpLdP qvPFcqLsY" /sc ONLOG ON /tr "'C :\Recovery \SwjJGfgwq bpLdPqvPFc qLsY.exe'" /rl HIGHE ST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 2672 cmdline:
schtasks.e xe /create /tn "SwjJ GfgwqbpLdP qvPFcqLsYS " /sc MINU TE /mo 8 / tr "'C:\Re covery\Swj JGfgwqbpLd PqvPFcqLsY .exe'" /rl HIGHEST / f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 928 cmdline:
schtasks.e xe /create /tn "Msin toRefcommo nsvcM" /sc MINUTE /m o 11 /tr " 'C:\fontre fcrt\Msint oRefcommon svc.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 6980 cmdline:
schtasks.e xe /create /tn "Msin toRefcommo nsvc" /sc ONLOGON /t r "'C:\fon trefcrt\Ms intoRefcom monsvc.exe '" /rl HIG HEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 2304 cmdline:
schtasks.e xe /create /tn "Msin toRefcommo nsvcM" /sc MINUTE /m o 14 /tr " 'C:\fontre fcrt\Msint oRefcommon svc.exe'" /rl HIGHES T /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - cmd.exe (PID: 3652 cmdline:
"C:\Window s\System32 \cmd.exe" /C "C:\Use rs\user\Ap pData\Loca l\Temp\wNN bKC3aho.ba t" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 3052 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - chcp.com (PID: 6712 cmdline:
chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32) - PING.EXE (PID: 2304 cmdline:
ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)
- conhost.exe (PID: 7184 cmdline:
"C:\Progra m Files (x 86)\window spowershel l\Configur ation\Sche ma\conhost .exe" MD5: 65F6B916C8BD52DDAD601807F96BC373) - cmd.exe (PID: 7600 cmdline:
"C:\Window s\System32 \cmd.exe" /C "C:\Use rs\user\Ap pData\Loca l\Temp\s4A l4mMfKa.ba t" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7612 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - chcp.com (PID: 7688 cmdline:
chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32) - w32tm.exe (PID: 7704 cmdline:
w32tm /str ipchart /c omputer:lo calhost /p eriod:5 /d ataonly /s amples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
- conhost.exe (PID: 7200 cmdline:
"C:\Progra m Files (x 86)\window spowershel l\Configur ation\Sche ma\conhost .exe" MD5: 65F6B916C8BD52DDAD601807F96BC373)
- MsintoRefcommonsvc.exe (PID: 7224 cmdline:
C:\fontref crt\Msinto Refcommons vc.exe MD5: 65F6B916C8BD52DDAD601807F96BC373)
- MsintoRefcommonsvc.exe (PID: 7240 cmdline:
C:\fontref crt\Msinto Refcommons vc.exe MD5: 65F6B916C8BD52DDAD601807F96BC373)
- SwjJGfgwqbpLdPqvPFcqLsY.exe (PID: 7260 cmdline:
C:\Recover y\SwjJGfgw qbpLdPqvPF cqLsY.exe MD5: 65F6B916C8BD52DDAD601807F96BC373) - Conhost.exe (PID: 2848 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- SwjJGfgwqbpLdPqvPFcqLsY.exe (PID: 7284 cmdline:
C:\Recover y\SwjJGfgw qbpLdPqvPF cqLsY.exe MD5: 65F6B916C8BD52DDAD601807F96BC373)
- conhost.exe (PID: 7432 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
DCRat | DCRat is a typical RAT that has been around since at least June 2019. | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
zgRAT | zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on. | No Attribution |
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_zgRAT_1 | Yara detected zgRAT | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_zgRAT_1 | Yara detected zgRAT | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_zgRAT_1 | Yara detected zgRAT | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_zgRAT_1 | Yara detected zgRAT | Joe Security | ||
Click to see the 7 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
Click to see the 3 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_zgRAT_1 | Yara detected zgRAT | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_zgRAT_1 | Yara detected zgRAT | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_zgRAT_1 | Yara detected zgRAT | Joe Security | ||
Click to see the 5 entries |
System Summary |
---|
Source: | Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: |
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Source: | Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): |
Source: | Author: frack113, Florian Roth (Nextron Systems): |
Source: | Author: Michael Haag: |
Source: | Author: frack113: |
Data Obfuscation |
---|
Source: | Author: Joe Security: |
Persistence and Installation Behavior |
---|
Source: | Author: Joe Security: |
Timestamp: | 04/26/24-05:18:06.649964 |
SID: | 2048095 |
Source Port: | 49740 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/26/24-05:17:55.506360 |
SID: | 2048095 |
Source Port: | 49738 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/26/24-05:18:16.044779 |
SID: | 2048095 |
Source Port: | 49742 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/26/24-05:18:58.981677 |
SID: | 2048095 |
Source Port: | 49746 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/26/24-05:18:22.668854 |
SID: | 2048095 |
Source Port: | 49744 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/26/24-05:18:13.157896 |
SID: | 2048095 |
Source Port: | 49741 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/26/24-05:17:25.838542 |
SID: | 2048095 |
Source Port: | 49736 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/26/24-05:18:04.927388 |
SID: | 2048095 |
Source Port: | 49739 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/26/24-05:18:17.813793 |
SID: | 2048095 |
Source Port: | 49743 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/26/24-05:18:49.422994 |
SID: | 2048095 |
Source Port: | 49745 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Directory created: | Jump to behavior | ||
Source: | Directory created: | Jump to behavior |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Spreading |
---|
Source: | System file written: | Jump to behavior |
Source: | Code function: | 0_2_0012A69B | |
Source: | Code function: | 0_2_0013C220 |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | Process created: |
Source: | ASN Name: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | HTTP traffic detected: |