Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DCwTjs2dTP.exe

Overview

General Information

Sample Name:DCwTjs2dTP.exe
Analysis ID:679101
MD5:2ed2a1d6604afeaa681f4c66dcd84194
SHA1:6134d837220afe9377cd78950c8aca43dde08d8c
SHA256:2a48fa5118bf1c97de6a6b7b0a45bcc95bd678d54f31e2f2d003e5f3ea49c780
Tags:DCRatexeRAT
Infos:

Detection

AsyncRAT, DcRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Yara detected DcRat
Yara detected AsyncRAT
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Machine Learning detection for sample
Yara detected Generic Downloader
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses schtasks.exe or at.exe to add and modify task schedules
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Stores large binary data to the registry
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • DCwTjs2dTP.exe (PID: 5664 cmdline: "C:\Users\user\Desktop\DCwTjs2dTP.exe" MD5: 2ED2A1D6604AFEAA681F4C66DCD84194)
    • cmd.exe (PID: 2612 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "sihost" /tr '"C:\Users\user\AppData\Roaming\sihost.exe"' & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5128 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "sihost" /tr '"C:\Users\user\AppData\Roaming\sihost.exe"' MD5: 15FF7D8324231381BAD48A052F85DF04)
    • cmd.exe (PID: 6128 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp53F0.tmp.bat"" MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 3404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 5344 cmdline: timeout 3 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • sihost.exe (PID: 5352 cmdline: "C:\Users\user\AppData\Roaming\sihost.exe" MD5: 2ED2A1D6604AFEAA681F4C66DCD84194)
  • cleanup
{"Server": "techandro.giize.com,hsolic.duckdns.org", "Ports": "6906,6907", "Version": " 1.0.7", "Autorun": "true", "Install_Folder": "%AppData%", "Install_File": "sihost.exe", "AES_key": "w28XgttPSPRfTrqDPtKQKIftMUNaIi1O", "Mutex": "DcRatMutex_qwqdanchun", "Certificate": "MIICKzCCAZSgAwIBAgIVANmCJqwMXdgA6yyfZkFj0aZTsu+7MA0GCSqGSIb3DQEBDQUAMF8xEDAOBgNVBAMMB2Rldk5vZGUxEzARBgNVBAsMCnF3cWRhbmNodW4xHDAaBgNVBAoME0RjUmF0IEJ5IHF3cWRhbmNodW4xCzAJBgNVBAcMAlNIMQswCQYDVQQGEwJDTjAeFw0yMTEwMjAwODIxNThaFw0zMjA3MjkwODIxNThaMBAxDjAMBgNVBAMMBURjUmF0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCoRh2gPhcjrCexqYsTMZyZzR9nvXDArts2Pxe7vU8QXZ/2N2LtomHs8oIRK8BSNIq8pybY9t19WGwPVl1go5W14d1Gku1DmuB7h/osKUvia9151iX4HtEJzVUZ21JY54BTSNkrB7mO9MIt+NPmW+T434g9pwjXeLqwPn9vNMjlDwIDAQABozIwMDAdBgNVHQ4EFgQUAiSCu6ZEkdGGrjqlINwtfX5B6ncwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQCYJ/7raO8AXKrzJF9npX6m1mUuFIiPNrmznT/3GogAp/JEDW8keA7Mq+IuMV5zjeQ6jrHVToqCFDUPGd3/yMbwmDlQMYjuj+bNl5f5m2pjHKTX1B/QuUUUPLJ/kXiGOb2zml6uK4n5siqJB5Dhza1QKxnOe0RDyLEnlkVondXy6A==", "ServerSignature": "ZbnE26z/kUoafAYsNOaYAdifPsyY0NUimw56hYN83bmpUDLwVLP2BeWbnk3Mb+RyC7+/9H+auM6ptQK6ib0j+DbOdeQNsf+okOIez8zETDI0UKu51c+FUimCHgyZK+I5Z5tXrRFLS4JhVTH6rhdkluo83hNFkwm6R8TV62hDMtE=", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "1", "Group": "Default", "AntiProcess": "false", "AntiVM": "false"}
SourceRuleDescriptionAuthorStrings
dump.pcapWindows_Trojan_DCRat_1aeea1acunknownunknown
  • 0x115fbc:$b2: DcRat By qwqdanchun1
SourceRuleDescriptionAuthorStrings
0000000A.00000002.522471112.0000000000EC9000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
  • 0x111f7:$b2: DcRat By qwqdanchun1
  • 0x20733:$b2: DcRat By qwqdanchun1
  • 0x20977:$b2: DcRat By qwqdanchun1
  • 0x24e4b:$b2: DcRat By qwqdanchun1
0000000A.00000002.543917229.00000000054D0000.00000004.08000000.00040000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_B64_ArtifactsDetects executables embedding bas64-encoded APIs, command lines, registry keys, etc.ditekSHen
  • 0x3175d:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA
  • 0x316ac:$s2: L2Mgc2NodGFza3MgL2
0000000A.00000002.531729380.0000000002D39000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DcRat_2Yara detected DcRatJoe Security
    0000000A.00000002.531729380.0000000002D39000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
    • 0x28bb:$b2: DcRat By qwqdanchun1
    • 0x8cf3:$b2: DcRat By qwqdanchun1
    • 0x8f2f:$b2: DcRat By qwqdanchun1
    00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      Click to see the 19 entries
      SourceRuleDescriptionAuthorStrings
      0.2.DCwTjs2dTP.exe.abb0000.4.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        0.2.DCwTjs2dTP.exe.abb0000.4.unpackINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
        • 0xb33e:$q1: Select * from Win32_CacheMemory
        • 0xb37e:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
        • 0xb3cc:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
        • 0xb41a:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
        0.2.DCwTjs2dTP.exe.abb0000.4.unpackINDICATOR_SUSPICIOUS_EXE_DcRatByDetects executables containing the string DcRatByditekSHen
        • 0xb97a:$s1: DcRatBy
        0.2.DCwTjs2dTP.exe.abb0000.4.raw.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          0.2.DCwTjs2dTP.exe.abb0000.4.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
            Click to see the 6 entries
            No Sigma rule has matched
            Timestamp:182.186.88.126192.168.2.36906497402848152 08/05/22-09:16:42.961653
            SID:2848152
            Source Port:6906
            Destination Port:49740
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: DCwTjs2dTP.exeReversingLabs: Detection: 50%
            Source: DCwTjs2dTP.exeAvira: detected
            Source: C:\Users\user\AppData\Roaming\sihost.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen
            Source: C:\Users\user\AppData\Roaming\sihost.exeReversingLabs: Detection: 50%
            Source: DCwTjs2dTP.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Roaming\sihost.exeJoe Sandbox ML: detected
            Source: 0.0.DCwTjs2dTP.exe.b10000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
            Source: 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmpMalware Configuration Extractor: AsyncRAT {"Server": "techandro.giize.com,hsolic.duckdns.org", "Ports": "6906,6907", "Version": " 1.0.7", "Autorun": "true", "Install_Folder": "%AppData%", "Install_File": "sihost.exe", "AES_key": "w28XgttPSPRfTrqDPtKQKIftMUNaIi1O", "Mutex": "DcRatMutex_qwqdanchun", "Certificate": "MIICKzCCAZSgAwIBAgIVANmCJqwMXdgA6yyfZkFj0aZTsu+7MA0GCSqGSIb3DQEBDQUAMF8xEDAOBgNVBAMMB2Rldk5vZGUxEzARBgNVBAsMCnF3cWRhbmNodW4xHDAaBgNVBAoME0RjUmF0IEJ5IHF3cWRhbmNodW4xCzAJBgNVBAcMAlNIMQswCQYDVQQGEwJDTjAeFw0yMTEwMjAwODIxNThaFw0zMjA3MjkwODIxNThaMBAxDjAMBgNVBAMMBURjUmF0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCoRh2gPhcjrCexqYsTMZyZzR9nvXDArts2Pxe7vU8QXZ/2N2LtomHs8oIRK8BSNIq8pybY9t19WGwPVl1go5W14d1Gku1DmuB7h/osKUvia9151iX4HtEJzVUZ21JY54BTSNkrB7mO9MIt+NPmW+T434g9pwjXeLqwPn9vNMjlDwIDAQABozIwMDAdBgNVHQ4EFgQUAiSCu6ZEkdGGrjqlINwtfX5B6ncwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQCYJ/7raO8AXKrzJF9npX6m1mUuFIiPNrmznT/3GogAp/JEDW8keA7Mq+IuMV5zjeQ6jrHVToqCFDUPGd3/yMbwmDlQMYjuj+bNl5f5m2pjHKTX1B/QuUUUPLJ/kXiGOb2zml6uK4n5siqJB5Dhza1QKxnOe0RDyLEnlkVondXy6A==", "ServerSignature": "ZbnE26z/kUoafAYsNOaYAdifPsyY0NUimw56hYN83bmpUDLwVLP2BeWbnk3Mb+RyC7+/9H+auM6ptQK6ib0j+DbOdeQNsf+okOIez8zETDI0UKu51c+FUimCHgyZK+I5Z5tXrRFLS4JhVTH6rhdkluo83hNFkwm6R8TV62hDMtE=", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "1", "Group": "Default", "AntiProcess": "false", "AntiVM": "false"}