Windows Analysis Report
af5Cop6pCN.exe

Overview

General Information

Sample Name: af5Cop6pCN.exe
Analysis ID: 708255
MD5: 32a56b4e67436bdd3d39809a9be949b8
SHA1: dac60ca2763d18ce9451b28f4d0a1d9fbdc3f4fc
SHA256: 5f6475a6d18503fbc2eb916e32ed1d6b4769f58d364ef2f94c2fd1a52c9aa1df
Tags: AsyncRATexeRAT
Infos:

Detection

AsyncRAT, DcRat
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Sigma detected: Schedule system process
Antivirus / Scanner detection for submitted sample
System process connects to network (likely due to code injection or exploit)
Yara detected DcRat
Yara detected AsyncRAT
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
.NET source code references suspicious native API functions
Machine Learning detection for sample
.NET source code contains potential unpacker
Yara detected Generic Downloader
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Drops PE files with benign system names
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection

barindex
Source: af5Cop6pCN.exe ReversingLabs: Detection: 92%
Source: af5Cop6pCN.exe Metadefender: Detection: 45% Perma Link
Source: af5Cop6pCN.exe Avira: detected
Source: C:\Users\user\AppData\Roaming\svchost.exe Avira: detection malicious, Label: HEUR/AGEN.1235730
Source: C:\Users\user\AppData\Roaming\svchost.exe ReversingLabs: Detection: 92%
Source: C:\Users\user\AppData\Roaming\svchost.exe Metadefender: Detection: 45% Perma Link
Source: af5Cop6pCN.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\svchost.exe Joe Sandbox ML: detected
Source: 00000000.00000002.328088299.0000000012FB8000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: AsyncRAT {"Server": "<!Cv", "Ports": "1", "Telegram C2": "https://api.telegram.org/bot{\"GI/sendMessage?chat_id=8ByH|?~", "Version": "'j%av_@4t#STz0 Gk@=FUPshK6IBYUZdY}n Is8k(3qgO@UJR?LLHr5HXCRE+ N}z^MR#RxeMW", "AES_key": "WPC4*(7Gweu7\\z>W{A|`", "Mutex": "TN-BG", "Certificate": "NjlPUmtsM1RoZjF0bWVMaUNuUm5Jd2JxS05FSXo2aFo=", "ServerSignature": "svchost.exe", "Group": "%AppData%"}
Source: af5Cop6pCN.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.20.67.143:443 -> 192.168.2.4:49707 version: TLS 1.0
Source: af5Cop6pCN.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

barindex
Source: C:\Users\user\AppData\Roaming\svchost.exe Network Connect: 3.72.110.63 9087 Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Domain query: pastebin.com
Source: C:\Users\user\AppData\Roaming\svchost.exe Domain query: termsiya.duckdns.org
Source: C:\Users\user\AppData\Roaming\svchost.exe Network Connect: 104.20.67.143 443 Jump to behavior
Source: Traffic Snort IDS: 2034847 ET TROJAN Observed Malicious SSL Cert (AsyncRAT) 3.72.110.63:9087 -> 192.168.2.4:49708
Source: Traffic Snort IDS: 2848152 ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant) 3.72.110.63:9087 -> 192.168.2.4:49708
Source: Yara match File source: af5Cop6pCN.exe, type: SAMPLE
Source: Yara match File source: 0.2.af5Cop6pCN.exe.12fb80c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
Source: Malware configuration extractor URLs: <!Cv
Source: unknown DNS query: name: pastebin.com
Source: unknown DNS query: name: termsiya.duckdns.org
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: global traffic HTTP traffic detected: GET /raw/pffCggZp HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: Joe Sandbox View IP Address: 104.20.67.143 104.20.67.143
Source: Joe Sandbox View IP Address: 104.20.67.143 104.20.67.143
Source: unknown HTTPS traffic detected: 104.20.67.143:443 -> 192.168.2.4:49707 version: TLS 1.0
Source: global traffic TCP traffic: 192.168.2.4:49708 -> 3.72.110.63:9087
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: svchost.exe, 00000008.00000002.584593553.000000001BB13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000008.00000002.574615004.000000000129B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: svchost.exe, 00000008.00000003.368899181.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.575012374.00000000012C4000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.8.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: svchost.exe, 00000008.00000003.368899181.00000000012CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?541049bf1a9dc
Source: svchost.exe, 00000008.00000002.578858102.00000000033D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pastebin.com
Source: af5Cop6pCN.exe, 00000000.00000002.324797185.0000000003246000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.575913817.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.578365156.0000000003376000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: svchost.exe, 00000008.00000002.578807116.00000000033C6000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.575913817.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com
Source: svchost.exe, 00000008.00000002.579176339.0000000003428000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.575913817.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/pffCggZp
Source: svchost.exe, 00000008.00000002.579176339.0000000003428000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com8
Source: unknown DNS traffic detected: queries for: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/pffCggZp HTTP/1.1Host: pastebin.comConnection: Keep-Alive

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Source: Yara match File source: Process Memory Space: af5Cop6pCN.exe PID: 4856, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 1016, type: MEMORYSTR

System Summary

barindex
Source: af5Cop6pCN.exe, type: SAMPLE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: af5Cop6pCN.exe, type: SAMPLE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: af5Cop6pCN.exe, type: SAMPLE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: dump.pcap, type: PCAP Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 0.0.af5Cop6pCN.exe.b40000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 0.0.af5Cop6pCN.exe.b40000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.0.af5Cop6pCN.exe.b40000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 00000008.00000003.368899181.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000007.00000002.393533493.000000000108B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000008.00000002.576457457.0000000003226000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000008.00000002.579075120.0000000003418000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000002.322788717.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000008.00000002.575012374.00000000012C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000002.323004882.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000008.00000002.574615004.000000000129B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000008.00000002.575913817.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000007.00000002.394138023.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: af5Cop6pCN.exe PID: 4856, type: MEMORYSTR Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: svchost.exe PID: 1120, type: MEMORYSTR Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: svchost.exe PID: 1016, type: MEMORYSTR Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: af5Cop6pCN.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: af5Cop6pCN.exe, type: SAMPLE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: af5Cop6pCN.exe, type: SAMPLE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: af5Cop6pCN.exe, type: SAMPLE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: dump.pcap, type: PCAP Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 0.0.af5Cop6pCN.exe.b40000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 0.0.af5Cop6pCN.exe.b40000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.0.af5Cop6pCN.exe.b40000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 00000008.00000003.368899181.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000007.00000002.393533493.000000000108B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000008.00000002.576457457.0000000003226000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000008.00000002.579075120.0000000003418000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000002.322788717.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000008.00000002.575012374.00000000012C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000002.323004882.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000008.00000002.574615004.000000000129B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000008.00000002.575913817.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000007.00000002.394138023.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: af5Cop6pCN.exe PID: 4856, type: MEMORYSTR Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: svchost.exe PID: 1120, type: MEMORYSTR Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: svchost.exe PID: 1016, type: MEMORYSTR Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 8_2_00007FF81640E8A2 8_2_00007FF81640E8A2
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 8_2_00007FF81640F33D 8_2_00007FF81640F33D
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 8_2_00007FF81640DAF6 8_2_00007FF81640DAF6
Source: af5Cop6pCN.exe, 00000000.00000002.322593978.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs af5Cop6pCN.exe
Source: af5Cop6pCN.exe, 00000000.00000002.328088299.0000000012FB8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamechrome_exe< vs af5Cop6pCN.exe
Source: af5Cop6pCN.exe, 00000000.00000000.303241374.0000000000B5C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamechrome_exe< vs af5Cop6pCN.exe
Source: af5Cop6pCN.exe Binary or memory string: OriginalFilenamechrome_exe< vs af5Cop6pCN.exe
Source: af5Cop6pCN.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: svchost.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\svchost.exe 5F6475A6D18503FBC2EB916E32ED1D6B4769F58D364EF2F94C2FD1A52C9AA1DF
Source: af5Cop6pCN.exe ReversingLabs: Detection: 92%
Source: af5Cop6pCN.exe Metadefender: Detection: 45%
Source: C:\Users\user\Desktop\af5Cop6pCN.exe File read: C:\Users\user\Desktop\af5Cop6pCN.exe Jump to behavior
Source: af5Cop6pCN.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\af5Cop6pCN.exe "C:\Users\user\Desktop\af5Cop6pCN.exe"
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp5ECD.tmp.bat""
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 3
Source: unknown Process created: C:\Users\user\AppData\Roaming\svchost.exe C:\Users\user\AppData\Roaming\svchost.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp5ECD.tmp.bat"" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 3 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe File created: C:\Users\user\AppData\Roaming\svchost.exe Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe File created: C:\Users\user\AppData\Local\Temp\tmp5ECD.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@15/7@2/2
Source: C:\Users\user\Desktop\af5Cop6pCN.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: af5Cop6pCN.exe, u0002/u0004.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: af5Cop6pCN.exe, u0002/u0004.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: svchost.exe.0.dr, u0002/u0004.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: svchost.exe.0.dr, u0002/u0004.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: af5Cop6pCN.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: af5Cop6pCN.exe, u0004/u0001.cs Base64 encoded string: 'jj1skaM2si1s7DQ2Ilc55WfTq9nhjYiwCreYrrAuuycpim5EMQvKizfaSHEG0B0ZxN438UhAH9DRBKJBZujURA==', '/JyVt1f/UKPdCPNDkTQZtyooN9UczrZHd6NldYLNuDeqXOCyFnrGrIbgnB3EDsg+kVfmexnYQd36fNvxt+pgyQ==', 'X0QYwAy8C54L4a6+T26nkP3B4QaHAzp9V1gm99/6Yi0wy9xhloL/07OTTcCm0oMxHAms5gWzCIV4FnVufLsShg==', 'xSui0O8U+DDW7db1zkRMSo+bY5176WoP0GYly5EdBd1o/zI1ksULpmhdO2lw1sMJxeSMhN6rV+8Z9ALSxyevwQ==', 'VmNyIzXmZ38XPwuZDuUCavc6B+pNC0wNg7DoHDOXTNKmjlzoOky9U7pq4vlslFGmgNFe79gq9qMupmBXlNA8RA==', 'o2bYOIFp6AZpWvxNIPcihIGfo9Ho55pISkQhGgXBZji3s012IQFLDYyEWJI2K1LHQcImJs2aoo7SwHnSJPNhVWmy7QDWcBjNtwJph4MGqwYCh/yeYbHhXo15g8iTdLzzt2TDmXqVtRG30+lCAUZlw1feEQgOuNOPBQexHmVu9jbtc1d95Zq2G+dM8WhkkEHgbp+Yk8HcI1uLdUnb2kmlT5T4ZeWNduSRCQRX/loCzc9SAg+0DLSuibjH0oLOh+oVnuCPy5/zo/AjPYoNsr6dpurwTBo8ujAVxHN3+HqcDTNwemUY5IcXe770/Mshye9ZGVZa+EDxq1ciq6dC/kw3w32lWdvBVZyB9/vj8whUjDlwg6QzaLvzg+y0Wz8HXijKTsuQVfT4olrfcHBala8oV9Uuo73jkENOaWC0MzGrZ2KQYti4c+bqr8RPNdvRKoThM30Yh+BGwxj1S/vvYYP3I0L9ef7md6+lm9GWLHXiWG3Y+DDvPTs0j+KxEWztRjnnukytDheUL1ukm9z1ylGU2V6wprM+p+XfDAkO8yoqio/noZw0iODf5xLumTJM7WZSwSeL8RYV+zehZi2nhOPWPFOgRlvXQQZxK7CWvp/u7ThLCeX5LfxYnPtNk87u7Ex5oxlPHDKnzIRHuSNxk/mvbh7cRYST/Ng92C1/tcK6U3o5Y1uXdj5pfTMBelz6KjeX6uez9yzNJZoRr8gR8RT4JM4AwlzOQtLEHF086gslMrpv6DqauwyEMUfYKzEGmukTzOYKLmTCuXyvA56yxZCRUuIlnaKVHi2tSa+pfyZNQulGmo79luX2w2AS0e5He89Q6m6uioAbE4W00S0U7rhb+xhhvtW3de6EAYoRpIPjOCcem32zTqA+iCzFxD8KwGz3otXtIsxD9jcT+L6seAlR5ER7OTftdjSq+TnFZcVxEe7Xr43yKzg7BMXu96NGrL/zDicbsXMisnIQ05/yRl/rnrN0U3ug3A/tVwl8yTGioM5o5p8Lu2ejzt+gbrF036M0C8fX7RQ8kq3wgf1f6TAKiV6s3xadnFkU6HwGNppKtX3s46iKx+Kfz1QwU0w5+iwQ', 'rWnm5zsP7PFLoFACDwnqzRiV1xnrKEWv/xFAdBaic0rIijxcHr23EBdVBiSQlF9td5AEbvAsbRY1OdNDSQW+8w=='
Source: svchost.exe.0.dr, u0004/u0001.cs Base64 encoded string: 'jj1skaM2si1s7DQ2Ilc55WfTq9nhjYiwCreYrrAuuycpim5EMQvKizfaSHEG0B0ZxN438UhAH9DRBKJBZujURA==', '/JyVt1f/UKPdCPNDkTQZtyooN9UczrZHd6NldYLNuDeqXOCyFnrGrIbgnB3EDsg+kVfmexnYQd36fNvxt+pgyQ==', 'X0QYwAy8C54L4a6+T26nkP3B4QaHAzp9V1gm99/6Yi0wy9xhloL/07OTTcCm0oMxHAms5gWzCIV4FnVufLsShg==', 'xSui0O8U+DDW7db1zkRMSo+bY5176WoP0GYly5EdBd1o/zI1ksULpmhdO2lw1sMJxeSMhN6rV+8Z9ALSxyevwQ==', 'VmNyIzXmZ38XPwuZDuUCavc6B+pNC0wNg7DoHDOXTNKmjlzoOky9U7pq4vlslFGmgNFe79gq9qMupmBXlNA8RA==', 'o2bYOIFp6AZpWvxNIPcihIGfo9Ho55pISkQhGgXBZji3s012IQFLDYyEWJI2K1LHQcImJs2aoo7SwHnSJPNhVWmy7QDWcBjNtwJph4MGqwYCh/yeYbHhXo15g8iTdLzzt2TDmXqVtRG30+lCAUZlw1feEQgOuNOPBQexHmVu9jbtc1d95Zq2G+dM8WhkkEHgbp+Yk8HcI1uLdUnb2kmlT5T4ZeWNduSRCQRX/loCzc9SAg+0DLSuibjH0oLOh+oVnuCPy5/zo/AjPYoNsr6dpurwTBo8ujAVxHN3+HqcDTNwemUY5IcXe770/Mshye9ZGVZa+EDxq1ciq6dC/kw3w32lWdvBVZyB9/vj8whUjDlwg6QzaLvzg+y0Wz8HXijKTsuQVfT4olrfcHBala8oV9Uuo73jkENOaWC0MzGrZ2KQYti4c+bqr8RPNdvRKoThM30Yh+BGwxj1S/vvYYP3I0L9ef7md6+lm9GWLHXiWG3Y+DDvPTs0j+KxEWztRjnnukytDheUL1ukm9z1ylGU2V6wprM+p+XfDAkO8yoqio/noZw0iODf5xLumTJM7WZSwSeL8RYV+zehZi2nhOPWPFOgRlvXQQZxK7CWvp/u7ThLCeX5LfxYnPtNk87u7Ex5oxlPHDKnzIRHuSNxk/mvbh7cRYST/Ng92C1/tcK6U3o5Y1uXdj5pfTMBelz6KjeX6uez9yzNJZoRr8gR8RT4JM4AwlzOQtLEHF086gslMrpv6DqauwyEMUfYKzEGmukTzOYKLmTCuXyvA56yxZCRUuIlnaKVHi2tSa+pfyZNQulGmo79luX2w2AS0e5He89Q6m6uioAbE4W00S0U7rhb+xhhvtW3de6EAYoRpIPjOCcem32zTqA+iCzFxD8KwGz3otXtIsxD9jcT+L6seAlR5ER7OTftdjSq+TnFZcVxEe7Xr43yKzg7BMXu96NGrL/zDicbsXMisnIQ05/yRl/rnrN0U3ug3A/tVwl8yTGioM5o5p8Lu2ejzt+gbrF036M0C8fX7RQ8kq3wgf1f6TAKiV6s3xadnFkU6HwGNppKtX3s46iKx+Kfz1QwU0w5+iwQ', 'rWnm5zsP7PFLoFACDwnqzRiV1xnrKEWv/xFAdBaic0rIijxcHr23EBdVBiSQlF9td5AEbvAsbRY1OdNDSQW+8w=='
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1416:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1948:120:WilError_01
Source: C:\Users\user\AppData\Roaming\svchost.exe Mutant created: \Sessions\1\BaseNamedObjects\DcRatMutex_stankakusust
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp5ECD.tmp.bat""
Source: af5Cop6pCN.exe, u0007/u0004.cs Cryptographic APIs: 'CreateDecryptor'
Source: svchost.exe.0.dr, u0007/u0004.cs Cryptographic APIs: 'CreateDecryptor'
Source: C:\Users\user\AppData\Roaming\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: af5Cop6pCN.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: af5Cop6pCN.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

barindex
Source: af5Cop6pCN.exe, u0007/u0001.cs .Net Code: \x04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: svchost.exe.0.dr, u0007/u0001.cs .Net Code: \x04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Persistence and Installation Behavior

barindex
Source: C:\Users\user\Desktop\af5Cop6pCN.exe File created: C:\Users\user\AppData\Roaming\svchost.exe Jump to dropped file
Source: C:\Users\user\Desktop\af5Cop6pCN.exe File created: C:\Users\user\AppData\Roaming\svchost.exe Jump to dropped file

Boot Survival

barindex
Source: Yara match File source: Process Memory Space: af5Cop6pCN.exe PID: 4856, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 1016, type: MEMORYSTR
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'

Hooking and other Techniques for Hiding and Protection

barindex
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: google.png
Source: C:\Users\user\AppData\Roaming\svchost.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: Yara match File source: Process Memory Space: af5Cop6pCN.exe PID: 4856, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 1016, type: MEMORYSTR
Source: C:\Users\user\Desktop\af5Cop6pCN.exe TID: 5264 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 2904 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 3276 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 3276 Thread sleep count: 104 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 1032 Thread sleep count: 9788 > 30 Jump to behavior
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Window / User API: threadDelayed 9788 Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: svchost.exe, 00000008.00000003.369120788.000000001BC19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.585203181.000000001BC15000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.585145466.000000001BC00000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000008.00000003.368899181.00000000012CE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\AppData\Roaming\svchost.exe Network Connect: 3.72.110.63 9087 Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Domain query: pastebin.com
Source: C:\Users\user\AppData\Roaming\svchost.exe Domain query: termsiya.duckdns.org
Source: C:\Users\user\AppData\Roaming\svchost.exe Network Connect: 104.20.67.143 443 Jump to behavior
Source: af5Cop6pCN.exe, u0002/u0002.cs Reference to suspicious API methods: ('\\x01', 'OpenProcess@kernel32.dll')
Source: af5Cop6pCN.exe, u0005/u0001.cs Reference to suspicious API methods: ('\\x01', 'GetProcAddress@kernel32'), ('\\x01', 'LoadLibraryA@kernel32')
Source: svchost.exe.0.dr, u0002/u0002.cs Reference to suspicious API methods: ('\\x01', 'OpenProcess@kernel32.dll')
Source: svchost.exe.0.dr, u0005/u0001.cs Reference to suspicious API methods: ('\\x01', 'GetProcAddress@kernel32'), ('\\x01', 'LoadLibraryA@kernel32')
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp5ECD.tmp.bat"" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 3 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
Source: svchost.exe, 00000008.00000002.577270093.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.577294907.00000000032B4000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.577152515.00000000032A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager(
Source: svchost.exe, 00000008.00000002.577270093.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.577294907.00000000032B4000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.584908795.000000001BB86000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: svchost.exe, 00000008.00000002.579176339.0000000003428000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager0y
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Queries volume information: C:\Users\user\Desktop\af5Cop6pCN.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Source: Yara match File source: Process Memory Space: af5Cop6pCN.exe PID: 4856, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 1016, type: MEMORYSTR
Source: C:\Users\user\AppData\Roaming\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: af5Cop6pCN.exe, 00000000.00000000.303215862.0000000000B42000.00000002.00000001.01000000.00000003.sdmp, af5Cop6pCN.exe, 00000000.00000002.328088299.0000000012FB8000.00000004.00000800.00020000.00000000.sdmp, svchost.exe.0.dr Binary or memory string: MSASCui.exe
Source: af5Cop6pCN.exe, 00000000.00000000.303215862.0000000000B42000.00000002.00000001.01000000.00000003.sdmp, af5Cop6pCN.exe, 00000000.00000002.328088299.0000000012FB8000.00000004.00000800.00020000.00000000.sdmp, svchost.exe.0.dr Binary or memory string: procexp.exe
Source: svchost.exe, 00000008.00000003.448206192.000000001BBCF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.585203181.000000001BC15000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: af5Cop6pCN.exe, 00000000.00000000.303215862.0000000000B42000.00000002.00000001.01000000.00000003.sdmp, af5Cop6pCN.exe, 00000000.00000002.328088299.0000000012FB8000.00000004.00000800.00020000.00000000.sdmp, svchost.exe.0.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

barindex
Source: Yara match File source: 00000008.00000002.576457457.0000000003226000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.579075120.0000000003418000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: af5Cop6pCN.exe PID: 4856, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 1016, type: MEMORYSTR

Remote Access Functionality

barindex
Source: Yara match File source: 00000008.00000002.576457457.0000000003226000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.579075120.0000000003418000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: af5Cop6pCN.exe PID: 4856, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 1016, type: MEMORYSTR