Edit tour
Windows
Analysis Report
qNdO4D18CF.exe
Overview
General Information
Sample name: | qNdO4D18CF.exerenamed because original name is a hash value |
Original sample name: | CE2EC4539435DFEAC7E246FE5565C521.exe |
Analysis ID: | 1565523 |
MD5: | ce2ec4539435dfeac7e246fe5565c521 |
SHA1: | 59f3da006005a109914c31b5d5cd94dc4c93309c |
SHA256: | d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562 |
Tags: | DCRatexeuser-abuse_ch |
Infos: | |
Detection
DCRat, PureLog Stealer, zgRAT
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Infects executable files (exe, dll, sys, html)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
- qNdO4D18CF.exe (PID: 7436 cmdline:
"C:\Users\ user\Deskt op\qNdO4D1 8CF.exe" MD5: CE2EC4539435DFEAC7E246FE5565C521) - csc.exe (PID: 7556 cmdline:
"C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\rmverc vh\rmvercv h.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66) - conhost.exe (PID: 7564 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cvtres.exe (PID: 7616 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RESA90.tmp " "c:\Wind ows\System 32\CSCA9DA 535D810450 AA35B2C9F2 7DA16D.TMP " MD5: C877CBB966EA5939AA2A17B6A5160950) - powershell.exe (PID: 7644 cmdline:
"powershel l" -Comman d Add-MpPr eference - ExclusionP ath 'C:/' MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7660 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WmiPrvSE.exe (PID: 2416 cmdline:
C:\Windows \system32\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51) - powershell.exe (PID: 7652 cmdline:
"powershel l" -Comman d Add-MpPr eference - ExclusionP ath 'C:/$R ecycle.Bin /' MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7676 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7668 cmdline:
"powershel l" -Comman d Add-MpPr eference - ExclusionP ath 'C:/$W inREAgent/ ' MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7732 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7692 cmdline:
"powershel l" -Comman d Add-MpPr eference - ExclusionP ath 'C:/Do cuments an d Settings /' MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7744 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7716 cmdline:
"powershel l" -Comman d Add-MpPr eference - ExclusionP ath 'C:/Pe rfLogs/' MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7764 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7724 cmdline:
"powershel l" -Comman d Add-MpPr eference - ExclusionP ath 'C:/Pr ogram File s/' MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7836 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7812 cmdline:
"powershel l" -Comman d Add-MpPr eference - ExclusionP ath 'C:/Pr ogram File s (x86)/' MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7856 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7824 cmdline:
"powershel l" -Comman d Add-MpPr eference - ExclusionP ath 'C:/Pr ogramData/ ' MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7928 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7880 cmdline:
"powershel l" -Comman d Add-MpPr eference - ExclusionP ath 'C:/Re covery/' MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7972 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7896 cmdline:
"powershel l" -Comman d Add-MpPr eference - ExclusionP ath 'C:/Sy stem Volum e Informat ion/' MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7988 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7920 cmdline:
"powershel l" -Comman d Add-MpPr eference - ExclusionP ath 'C:/Us ers/' MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 8020 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7952 cmdline:
"powershel l" -Comman d Add-MpPr eference - ExclusionP ath 'C:/Wi ndows/' MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 8052 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7980 cmdline:
"powershel l" -Comman d Add-MpPr eference - ExclusionP ath 'C:\Pr ogram File s (x86)\St eam\steamc lient.exe' MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 8036 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 8012 cmdline:
"powershel l" -Comman d Add-MpPr eference - ExclusionP ath 'C:\Us ers\user\D esktop\qNd O4D18CF.ex e' MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 8072 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 8040 cmdline:
"C:\Window s\System32 \cmd.exe" /C "C:\Use rs\user\Ap pData\Loca l\Temp\Xya gYCCOZX.ba t" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8212 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - chcp.com (PID: 8592 cmdline:
chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)