Edit tour
Windows
Analysis Report
cDouNOFXle.exe
Overview
General Information
Detection
DCRat
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Yara detected DCRat
Creates processes via WMI
Machine Learning detection for sample
Machine Learning detection for dropped file
Drops executables to the windows directory (C:\Windows) and starts them
Uses schtasks.exe or at.exe to add and modify task schedules
Drops PE files with benign system names
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to communicate with device drivers
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
File is packed with WinRar
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Classification
- System is w10x64
- cDouNOFXle.exe (PID: 3632 cmdline:
"C:\Users\ user\Deskt op\cDouNOF Xle.exe" MD5: 54172888B473F2515B13FE1E2032A112) - wscript.exe (PID: 5792 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\co mproviderR untimecomm on\et1pu6V AlkUOY7GuC 90A.vbe" MD5: 7075DD7B9BE8807FCA93ACD86F724884) - cmd.exe (PID: 5824 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\comp roviderRun timecommon \DLLiR59GM mL352HHbgf c.bat" " MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 5080 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - chainsavesref.exe (PID: 3372 cmdline:
C:\comprov iderRuntim ecommon\ch ainsavesre f.exe MD5: 4EAF964B744BD6801B5122AE1AFBBDE4)
- schtasks.exe (PID: 5100 cmdline:
schtasks.e xe /create /tn "conh ostc" /sc MINUTE /mo 9 /tr "'C :\Recovery \conhost.e xe'" /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- schtasks.exe (PID: 2292 cmdline:
schtasks.e xe /create /tn "conh ost" /sc O NLOGON /tr "'C:\Reco very\conho st.exe'" / rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- schtasks.exe (PID: 5208 cmdline:
schtasks.e xe /create /tn "conh ostc" /sc MINUTE /mo 9 /tr "'C :\Recovery \conhost.e xe'" /rl H IGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- schtasks.exe (PID: 5296 cmdline:
schtasks.e xe /create /tn "MrsU vRPGeImAhc M" /sc MIN UTE /mo 9 /tr "'C:\W indows\Web \Screen\Mr sUvRPGeImA hc.exe'" / f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- schtasks.exe (PID: 1100 cmdline:
schtasks.e xe /create /tn "MrsU vRPGeImAhc " /sc ONLO GON /tr "' C:\Windows \Web\Scree n\MrsUvRPG eImAhc.exe '" /rl HIG HEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- schtasks.exe (PID: 5284 cmdline:
schtasks.e xe /create /tn "MrsU vRPGeImAhc M" /sc MIN UTE /mo 11 /tr "'C:\ Windows\We b\Screen\M rsUvRPGeIm Ahc.exe'" /rl HIGHES T /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- MrsUvRPGeImAhc.exe (PID: 3432 cmdline:
C:\Windows \Web\Scree n\MrsUvRPG eImAhc.exe MD5: 4EAF964B744BD6801B5122AE1AFBBDE4)
- schtasks.exe (PID: 3056 cmdline:
schtasks.e xe /create /tn "MrsU vRPGeImAhc M" /sc MIN UTE /mo 6 /tr "'C:\W indows\Hel p\mui\0409 \MrsUvRPGe ImAhc.exe' " /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- schtasks.exe (PID: 2232 cmdline:
schtasks.e xe /create /tn "MrsU vRPGeImAhc " /sc ONLO GON /tr "' C:\Windows \Help\mui\ 0409\MrsUv RPGeImAhc. exe'" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- schtasks.exe (PID: 6120 cmdline:
schtasks.e xe /create /tn "MrsU vRPGeImAhc M" /sc MIN UTE /mo 7 /tr "'C:\W indows\Hel p\mui\0409 \MrsUvRPGe ImAhc.exe' " /rl HIGH EST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- schtasks.exe (PID: 5800 cmdline:
schtasks.e xe /create /tn "winl ogonw" /sc MINUTE /m o 9 /tr "' C:\Recover y\winlogon .exe'" /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- schtasks.exe (PID: 4592 cmdline:
schtasks.e xe /create /tn "winl ogon" /sc ONLOGON /t r "'C:\Rec overy\winl ogon.exe'" /rl HIGHE ST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- MrsUvRPGeImAhc.exe (PID: 2756 cmdline:
C:\Windows \Help\mui\ 0409\MrsUv RPGeImAhc. exe MD5: 4EAF964B744BD6801B5122AE1AFBBDE4)
- schtasks.exe (PID: 2072 cmdline:
schtasks.e xe /create /tn "winl ogonw" /sc MINUTE /m o 8 /tr "' C:\Recover y\winlogon .exe'" /rl HIGHEST / f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- schtasks.exe (PID: 5100 cmdline:
schtasks.e xe /create /tn "expl orere" /sc MINUTE /m o 8 /tr "' C:\Recover y\explorer .exe'" /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- schtasks.exe (PID: 2292 cmdline:
schtasks.e xe /create /tn "expl orer" /sc ONLOGON /t r "'C:\Rec overy\expl orer.exe'" /rl HIGHE ST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- schtasks.exe (PID: 4036 cmdline:
schtasks.e xe /create /tn "expl orere" /sc MINUTE /m o 10 /tr " 'C:\Recove ry\explore r.exe'" /r l HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- schtasks.exe (PID: 4200 cmdline:
schtasks.e xe /create /tn "Runt imeBrokerR " /sc MINU TE /mo 12 /tr "'C:\c omprovider Runtimecom mon\Runtim eBroker.ex e'" /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- explorer.exe (PID: 1820 cmdline:
C:\Recover y\explorer .exe MD5: 4EAF964B744BD6801B5122AE1AFBBDE4)
- schtasks.exe (PID: 5304 cmdline:
schtasks.e xe /create /tn "Runt imeBroker" /sc ONLOG ON /tr "'C :\comprovi derRuntime common\Run timeBroker .exe'" /rl HIGHEST / f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- explorer.exe (PID: 5580 cmdline:
C:\Recover y\explorer .exe MD5: 4EAF964B744BD6801B5122AE1AFBBDE4)
- schtasks.exe (PID: 3896 cmdline:
schtasks.e xe /create /tn "Runt imeBrokerR " /sc MINU TE /mo 5 / tr "'C:\co mproviderR untimecomm on\Runtime Broker.exe '" /rl HIG HEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- schtasks.exe (PID: 5280 cmdline:
schtasks.e xe /create /tn "back groundTask Hostb" /sc MINUTE /m o 5 /tr "' C:\comprov iderRuntim ecommon\ba ckgroundTa skHost.exe '" /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- schtasks.exe (PID: 6024 cmdline:
schtasks.e xe /create /tn "back groundTask Host" /sc ONLOGON /t r "'C:\com providerRu ntimecommo n\backgrou ndTaskHost .exe'" /rl HIGHEST / f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- schtasks.exe (PID: 5608 cmdline:
schtasks.e xe /create /tn "back groundTask Hostb" /sc MINUTE /m o 10 /tr " 'C:\compro viderRunti mecommon\b ackgroundT askHost.ex e'" /rl HI GHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- schtasks.exe (PID: 6056 cmdline:
schtasks.e xe /create /tn "Shel lExperienc eHostS" /s c MINUTE / mo 13 /tr "'C:\Recov ery\ShellE xperienceH ost.exe'" /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- schtasks.exe (PID: 2292 cmdline:
schtasks.e xe /create /tn "Shel lExperienc eHost" /sc ONLOGON / tr "'C:\Re covery\She llExperien ceHost.exe '" /rl HIG HEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- cleanup
{"SCRT": "{\"l\":\"@\",\"w\":\"#\",\"I\":\"`\",\"Y\":\"$\",\"M\":\"%\",\"i\":\",\",\"D\":\"&\",\"N\":\"-\",\"5\":\" \",\"P\":\"~\",\"s\":\")\",\"K\":\"*\",\"3\":\";\",\"m\":\"^\",\"c\":\">\",\"Q\":\"<\",\"2\":\"(\",\"S\":\"_\",\"O\":\"!\",\"y\":\".\",\"0\":\"|\"}", "PCRT": "{\"l\":\"|\",\"6\":\"&\",\"G\":\"<\",\"I\":\"^\",\"0\":\")\",\"p\":\"!\",\"y\":\",\",\"n\":\".\",\"X\":\"*\",\"M\":\"$\",\"=\":\">\",\"9\":\" \",\"b\":\"~\",\"S\":\";\",\"d\":\"@\",\"Y\":\"(\",\"c\":\"#\",\"w\":\"`\",\"i\":\"-\",\"e\":\"%\",\"j\":\"_\"}", "TAG": "FUCKYOUTEST", "MUTEX": "DCR_MUTEX-02ykwxZSRSiKYAzrbrFg", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": true, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": true, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%UsersFolder% - Fast"}, "AS": true, "ASO": false, "AD": false}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
Click to see the 8 entries |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Virustotal: | Perma Link | ||
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Avira: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | ReversingLabs: | |||
Source: | ReversingLabs: | |||
Source: | ReversingLabs: | |||
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | IP Address: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | HTTP traffic detected: |