Windows
Analysis Report
file.exe
Overview
General Information
Detection
DcRat, JasonRAT
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DcRat
Yara detected JasonRAT
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Creates an autostart registry key pointing to binary in C:\Windows
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Sigma detected: Potentially Suspicious Malware Callback Communication
Uses dynamic DNS services
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
file.exe (PID: 4696 cmdline:
"C:\Users\ user\Deskt op\file.ex e" MD5: 76969ACC42256771162BE6F285DE947C) Mxscspd_BelphegorShell.exe (PID: 4084 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\Mxscsp d_Belphego rShell.exe " MD5: 412A8BBC3366FEC40120821A598EA26F)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
DCRat | DCRat is a typical RAT that has been around since at least June 2019. | No Attribution |
{"Server": "127.0.0.1,winner2025me.duckdns.org", "Ports": "7777", "Version": "JASON 2.1.1.0", "Autorun": "false", "Install_Folder": "AppData", "Install_File": "ScJlsrsfsks", "AES_key": "Jason\u2620LetThereBeCarnage", "Mutex": "Jason_CnzagnrahJcsdJcnzns", "AntiDetection": "null", "External_config_on_Pastebin": "false", "Startup_Delay": 1, "Certificate": "MIICRzCCAbCgAwIBAgIVANvS14Czjez/SMBBbB3uWUcyWLrFMA0GCSqGSIb3DQEBDQUAMHsxFTATBgNVBAMMDEphc29uIFNlcnZlcjEiMCAGA1UECwwZSmFzb27imKBMZXRUaGVyZUJlQ2FybmFnZTEkMCIGA1UECgwbSmFzb24g4pigIExldFRoZXJlQmVDYXJuYWdlMQswCQYDVQQHDAJTSDELMAkGA1UEBhMCQ04wHhcNMjQwMTExMjMxNjM2WhcNMzQxMDIwMjMxNjM2WjAQMQ4wDAYDVQQDDAVKYXNvbjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAjynhKPrWMiHM2a9rMcQru2BGPNnbfYw5w+W/mUM/lDUQ5E5yx5wWth03JiB+yflQvUkZ/3sDm/4JQfZxiqclLIAzkXrlBxhKbaLxcxa5slQJUaypWXxwdTTu2U2bgqrOINQFGqA4qGXWVqVelz75q5QEn3PVsM9ItRcx49FsqgsCAwEAAaMyMDAwHQYDVR0OBBYEFEhI7v6kRtjV16ycOMQ1r14L2GjJMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADgYEAFnxCg0+lHwa/Nkl7yer/lKO2aejOkcEGbtTxKgLGEpVClTuTTw4wQX8lc7gd0Ik5pL5VtO37O+Aj/Ysl71zgh3dd9gDKb9Uil7SP3WK2fbC/kETm++Pxi4vl4W3C6j1l9jtMOHmaNZem3Z+o+8bfkBbWtFDqp7Sul3yagpHaQzU=", "ServerSignature": "PjTTtyMY2go0IqkgPP0auxgXaWgJgSfBrFldD2kTofVnrfY4Q95vIUygNkOfDvXg9exvugXRXULtJ8VIYdVAUyOCtJjL5nFEhxkiFTV+c2RYqmHMIDydwtPnsh4BRMNcgibqvLlT2WK6OP/jVV1EV8GVrduZ74e6ok24M2khfR0=", "Group": "HOME"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_JasonRAT | Yara detected JasonRAT | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_JasonRAT | Yara detected JasonRAT | Joe Security | ||
JoeSecurity_JasonRAT | Yara detected JasonRAT | Joe Security | ||
JoeSecurity_JasonRAT | Yara detected JasonRAT | Joe Security | ||
JoeSecurity_JasonRAT | Yara detected JasonRAT | Joe Security | ||
JoeSecurity_JasonRAT | Yara detected JasonRAT | Joe Security | ||
Click to see the 2 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_JasonRAT | Yara detected JasonRAT | Joe Security | ||
JoeSecurity_JasonRAT | Yara detected JasonRAT | Joe Security | ||
JoeSecurity_JasonRAT | Yara detected JasonRAT | Joe Security | ||
JoeSecurity_JasonRAT | Yara detected JasonRAT | Joe Security | ||
JoeSecurity_JasonRAT | Yara detected JasonRAT | Joe Security | ||
Click to see the 4 entries |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-01-02T20:14:02.195868+0100 | 2842478 | 1 | Malware Command and Control Activity Detected | 87.120.113.91 | 7777 | 192.168.2.5 | 49704 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Networking |
---|