Windows
Analysis Report
jx2eCe6ymR.exe
Overview
General Information
Sample name: | jx2eCe6ymR.exerenamed because original name is a hash value |
Original sample name: | 22acd327c5273659a31e56d94cefed20.exe |
Analysis ID: | 1467270 |
MD5: | 22acd327c5273659a31e56d94cefed20 |
SHA1: | 0c3534ab1f3f2fbc3b2410b50c0bd3450e8b7e20 |
SHA256: | b56d3e6d1b59e49bbec7d67b46efdabcd4f63113d4937e713c017a5c8307c1f9 |
Tags: | DCRatexe |
Infos: | |
Detection
DCRat
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Yara detected DCRat
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Drops executable to a common third party application directory
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file has nameless sections
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Files With System Process Name In Unsuspected Locations
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to detect virtual machines (SLDT)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
jx2eCe6ymR.exe (PID: 1468 cmdline:
"C:\Users\ user\Deskt op\jx2eCe6 ymR.exe" MD5: 22ACD327C5273659A31E56D94CEFED20) wscript.exe (PID: 5012 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\pr oviderRevi ewperfsvc\ 82mN47a0Ti Fi3a9eGnk. vbe" MD5: FF00E0480075B095948000BDC66E81F0) cmd.exe (PID: 5252 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\prov iderReview perfsvc\jW 8bFRH7MHNF a6gk2NSgaG KIpk.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) conhost.exe (PID: 1172 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) hyperIntoruntime.exe (PID: 1364 cmdline:
"C:\provid erReviewpe rfsvc\hype rIntorunti me.exe" MD5: CA3AE9AE64643D74D4EAF06F154F272A) schtasks.exe (PID: 6824 cmdline:
schtasks.e xe /create /tn "nEuT yBtWAvjkYQ rIMhtZWEn" /sc MINUT E /mo 7 /t r "'C:\Pro gram Files \Windows P hoto Viewe r\en-GB\nE uTyBtWAvjk YQrIMhtZWE .exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) schtasks.exe (PID: 7076 cmdline:
schtasks.e xe /create /tn "nEuT yBtWAvjkYQ rIMhtZWE" /sc ONLOGO N /tr "'C: \Program F iles\Windo ws Photo V iewer\en-G B\nEuTyBtW AvjkYQrIMh tZWE.exe'" /rl HIGHE ST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) schtasks.exe (PID: 368 cmdline:
schtasks.e xe /create /tn "nEuT yBtWAvjkYQ rIMhtZWEn" /sc MINUT E /mo 10 / tr "'C:\Pr ogram File s\Windows Photo View er\en-GB\n EuTyBtWAvj kYQrIMhtZW E.exe'" /r l HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) schtasks.exe (PID: 3488 cmdline:
schtasks.e xe /create /tn "Idle I" /sc MIN UTE /mo 11 /tr "'C:\ providerRe viewperfsv c\Idle.exe '" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) schtasks.exe (PID: 6928 cmdline:
schtasks.e xe /create /tn "Idle " /sc ONLO GON /tr "' C:\provide rReviewper fsvc\Idle. exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) schtasks.exe (PID: 3248 cmdline:
schtasks.e xe /create /tn "Idle I" /sc MIN UTE /mo 12 /tr "'C:\ providerRe viewperfsv c\Idle.exe '" /rl HIG HEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) schtasks.exe (PID: 616 cmdline:
schtasks.e xe /create /tn "nEuT yBtWAvjkYQ rIMhtZWEn" /sc MINUT E /mo 13 / tr "'C:\Us ers\Defaul t User\Dow nloads\nEu TyBtWAvjkY QrIMhtZWE. exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) schtasks.exe (PID: 5908 cmdline:
schtasks.e xe /create /tn "nEuT yBtWAvjkYQ rIMhtZWE" /sc ONLOGO N /tr "'C: \Users\Def ault User\ Downloads\ nEuTyBtWAv jkYQrIMhtZ WE.exe'" / rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) schtasks.exe (PID: 4904 cmdline:
schtasks.e xe /create /tn "nEuT yBtWAvjkYQ rIMhtZWEn" /sc MINUT E /mo 12 / tr "'C:\Us ers\Defaul t User\Dow nloads\nEu TyBtWAvjkY QrIMhtZWE. exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) schtasks.exe (PID: 6368 cmdline:
schtasks.e xe /create /tn "nEuT yBtWAvjkYQ rIMhtZWEn" /sc MINUT E /mo 7 /t r "'C:\Use rs\Default \Applicati on Data\Mi crosoft\nE uTyBtWAvjk YQrIMhtZWE .exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) schtasks.exe (PID: 1804 cmdline:
schtasks.e xe /create /tn "nEuT yBtWAvjkYQ rIMhtZWE" /sc ONLOGO N /tr "'C: \Users\Def ault\Appli cation Dat a\Microsof t\nEuTyBtW AvjkYQrIMh tZWE.exe'" /rl HIGHE ST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) schtasks.exe (PID: 5388 cmdline:
schtasks.e xe /create /tn "nEuT yBtWAvjkYQ rIMhtZWEn" /sc MINUT E /mo 8 /t r "'C:\Use rs\Default \Applicati on Data\Mi crosoft\nE uTyBtWAvjk YQrIMhtZWE .exe'" /rl HIGHEST / f MD5: 76CD6626DD8834BD4A42E6A565104DC2) schtasks.exe (PID: 7072 cmdline:
schtasks.e xe /create /tn "nEuT yBtWAvjkYQ rIMhtZWEn" /sc MINUT E /mo 7 /t r "'C:\Win dows\Syste m32\nEuTyB tWAvjkYQrI MhtZWE.exe '" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) schtasks.exe (PID: 5616 cmdline:
schtasks.e xe /create /tn "nEuT yBtWAvjkYQ rIMhtZWE" /sc ONLOGO N /tr "'C: \Windows\S ystem32\nE uTyBtWAvjk YQrIMhtZWE .exe'" /rl HIGHEST / f MD5: 76CD6626DD8834BD4A42E6A565104DC2) schtasks.exe (PID: 1224 cmdline:
schtasks.e xe /create /tn "nEuT yBtWAvjkYQ rIMhtZWEn" /sc MINUT E /mo 14 / tr "'C:\Wi ndows\Syst em32\nEuTy BtWAvjkYQr IMhtZWE.ex e'" /rl HI GHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) schtasks.exe (PID: 5928 cmdline:
schtasks.e xe /create /tn "nEuT yBtWAvjkYQ rIMhtZWEn" /sc MINUT E /mo 14 / tr "'C:\pr oviderRevi ewperfsvc\ nEuTyBtWAv jkYQrIMhtZ WE.exe'" / f MD5: 76CD6626DD8834BD4A42E6A565104DC2) schtasks.exe (PID: 2264 cmdline:
schtasks.e xe /create /tn "nEuT yBtWAvjkYQ rIMhtZWE" /sc ONLOGO N /tr "'C: \providerR eviewperfs vc\nEuTyBt WAvjkYQrIM htZWE.exe' " /rl HIGH EST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) schtasks.exe (PID: 420 cmdline:
schtasks.e xe /create /tn "nEuT yBtWAvjkYQ rIMhtZWEn" /sc MINUT E /mo 5 /t r "'C:\pro viderRevie wperfsvc\n EuTyBtWAvj kYQrIMhtZW E.exe'" /r l HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) schtasks.exe (PID: 5544 cmdline:
schtasks.e xe /create /tn "Runt imeBrokerR " /sc MINU TE /mo 7 / tr "'C:\Re covery\Run timeBroker .exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) schtasks.exe (PID: 6864 cmdline:
schtasks.e xe /create /tn "Runt imeBroker" /sc ONLOG ON /tr "'C :\Recovery \RuntimeBr oker.exe'" /rl HIGHE ST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) schtasks.exe (PID: 6852 cmdline:
schtasks.e xe /create /tn "Runt imeBrokerR " /sc MINU TE /mo 12 /tr "'C:\R ecovery\Ru ntimeBroke r.exe'" /r l HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) schtasks.exe (PID: 5812 cmdline:
schtasks.e xe /create /tn "nEuT yBtWAvjkYQ rIMhtZWEn" /sc MINUT E /mo 13 / tr "'C:\Re covery\nEu TyBtWAvjkY QrIMhtZWE. exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) schtasks.exe (PID: 3552 cmdline:
schtasks.e xe /create /tn "nEuT yBtWAvjkYQ rIMhtZWE" /sc ONLOGO N /tr "'C: \Recovery\ nEuTyBtWAv jkYQrIMhtZ WE.exe'" / rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) schtasks.exe (PID: 4508 cmdline:
schtasks.e xe /create /tn "nEuT yBtWAvjkYQ rIMhtZWEn" /sc MINUT E /mo 12 / tr "'C:\Re covery\nEu TyBtWAvjkY QrIMhtZWE. exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) schtasks.exe (PID: 4824 cmdline:
schtasks.e xe /create /tn "nEuT yBtWAvjkYQ rIMhtZWEn" /sc MINUT E /mo 9 /t r "'C:\pro viderRevie wperfsvc\n EuTyBtWAvj kYQrIMhtZW E.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) schtasks.exe (PID: 1612 cmdline:
schtasks.e xe /create /tn "nEuT yBtWAvjkYQ rIMhtZWE" /sc ONLOGO N /tr "'C: \providerR eviewperfs vc\nEuTyBt WAvjkYQrIM htZWE.exe' " /rl HIGH EST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) schtasks.exe (PID: 1668 cmdline:
schtasks.e xe /create /tn "nEuT yBtWAvjkYQ rIMhtZWEn" /sc MINUT E /mo 5 /t r "'C:\pro viderRevie wperfsvc\n EuTyBtWAvj kYQrIMhtZW E.exe'" /r l HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) schtasks.exe (PID: 3640 cmdline:
schtasks.e xe /create /tn "nEuT yBtWAvjkYQ rIMhtZWEn" /sc MINUT E /mo 10 / tr "'C:\Pr ogram File s\Windows Media Play er\nEuTyBt WAvjkYQrIM htZWE.exe' " /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) schtasks.exe (PID: 4420 cmdline:
schtasks.e xe /create /tn "nEuT yBtWAvjkYQ rIMhtZWE" /sc ONLOGO N /tr "'C: \Program F iles\Windo ws Media P layer\nEuT yBtWAvjkYQ rIMhtZWE.e xe'" /rl H IGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) schtasks.exe (PID: 6420 cmdline:
schtasks.e xe /create /tn "nEuT yBtWAvjkYQ rIMhtZWEn" /sc MINUT E /mo 11 / tr "'C:\Pr ogram File s\Windows Media Play er\nEuTyBt WAvjkYQrIM htZWE.exe' " /rl HIGH EST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) schtasks.exe (PID: 5012 cmdline:
schtasks.e xe /create /tn "Runt imeBrokerR " /sc MINU TE /mo 13 /tr "'C:\P rogram Fil es (x86)\j ava\jre-1. 8\bin\plug in2\Runtim eBroker.ex e'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) schtasks.exe (PID: 6472 cmdline:
schtasks.e xe /create /tn "Runt imeBroker" /sc ONLOG ON /tr "'C :\Program Files (x86 )\java\jre -1.8\bin\p lugin2\Run timeBroker .exe'" /rl HIGHEST / f MD5: 76CD6626DD8834BD4A42E6A565104DC2) schtasks.exe (PID: 4544 cmdline:
schtasks.e xe /create /tn "Runt imeBrokerR " /sc MINU TE /mo 7 / tr "'C:\Pr ogram File s (x86)\ja va\jre-1.8 \bin\plugi n2\Runtime Broker.exe '" /rl HIG HEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) schtasks.exe (PID: 340 cmdline:
schtasks.e xe /create /tn "nEuT yBtWAvjkYQ rIMhtZWEn" /sc MINUT E /mo 9 /t r "'C:\Pro gram Files \Adobe\Acr obat DC\nE uTyBtWAvjk YQrIMhtZWE .exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
Idle.exe (PID: 6412 cmdline:
C:\provide rReviewper fsvc\Idle. exe MD5: CA3AE9AE64643D74D4EAF06F154F272A)
Idle.exe (PID: 5268 cmdline:
C:\provide rReviewper fsvc\Idle. exe MD5: CA3AE9AE64643D74D4EAF06F154F272A)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
DCRat | DCRat is a typical RAT that has been around since at least June 2019. | No Attribution |
{"SCRT": "{\"c\":\"<\",\"i\":\"!\",\"1\":\"%\",\"j\":\" \",\"N\":\"*\",\"A\":\"-\",\"J\":\">\",\"5\":\")\",\"w\":\"&\",\"M\":\"~\",\"h\":\".\",\"0\":\"^\",\"9\":\"|\",\"o\":\"`\",\"W\":\";\",\"C\":\"#\",\"B\":\"@\",\"6\":\"_\",\"D\":\"$\",\"y\":\",\",\"Q\":\"(\"}", "PCRT": "{\"h\":\"&\",\"l\":\"!\",\"q\":\"#\",\"Q\":\"$\",\"B\":\"|\",\"F\":\";\",\"N\":\"(\",\"D\":\"@\",\"3\":\"*\",\"J\":\" \",\"0\":\"-\",\"j\":\"`\",\"U\":\"_\",\"T\":\".\",\"K\":\"^\",\"C\":\">\",\"R\":\"%\",\"9\":\"~\",\"t\":\"<\",\"Y\":\",\",\"E\":\")\"}", "TAG": "", "MUTEX": "DCR_MUTEX-VR44XW95BWe3p1mj6E9P", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 2, "AUR": 1, "ASCFG": null, "AS": false, "ASO": false, "AD": false, "H1": "http://a1000454.xsph.ru/@==gbJBzYuFDT", "H2": "http://a1000454.xsph.ru/@==gbJBzYuFDT", "T": "0"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
Click to see the 3 entries |
System Summary |
---|
Source: | Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: Michael Haag: |
Persistence and Installation Behavior |
---|
Source: | Author: Joe Security: |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Directory created: | Jump to behavior | ||
Source: | Directory created: | Jump to behavior | ||
Source: | Directory created: | Jump to behavior | ||
Source: | Directory created: | Jump to behavior | ||
Source: | Directory created: | Jump to behavior | ||
Source: | Directory created: | Jump to behavior |
Source: | Binary string: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Networking |
---|
Source: | URLs: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | ASN Name: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |