Edit tour
Windows
Analysis Report
QT4aLb3P98.exe
Overview
General Information
Sample name: | QT4aLb3P98.exerenamed because original name is a hash value |
Original sample name: | 1a9c19cd373f9ce0642f18f6965521b3.exe |
Analysis ID: | 1483427 |
MD5: | 1a9c19cd373f9ce0642f18f6965521b3 |
SHA1: | 64bc66f217964ab7310084cc9b2e4ef72ea7156b |
SHA256: | 82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb |
Tags: | DCRatexe |
Infos: | |
Detection
DCRat
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected DCRat
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Execution from Suspicious Folder
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
- QT4aLb3P98.exe (PID: 6872 cmdline:
"C:\Users\ user\Deskt op\QT4aLb3 P98.exe" MD5: 1A9C19CD373F9CE0642F18F6965521B3) - schtasks.exe (PID: 3804 cmdline:
schtasks.e xe /create /tn "wRRc PdViqkw" / sc MINUTE /mo 13 /tr "'C:\Prog ram Files\ Windows De fender\en- GB\wRRcPdV iqk.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 5480 cmdline:
schtasks.e xe /create /tn "wRRc PdViqk" /s c ONLOGON /tr "'C:\P rogram Fil es\Windows Defender\ en-GB\wRRc PdViqk.exe '" /rl HIG HEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 1184 cmdline:
schtasks.e xe /create /tn "wRRc PdViqkw" / sc MINUTE /mo 5 /tr "'C:\Progr am Files\W indows Def ender\en-G B\wRRcPdVi qk.exe'" / rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 4924 cmdline:
schtasks.e xe /create /tn "wRRc PdViqkw" / sc MINUTE /mo 6 /tr "'C:\Windo ws\Media\S onata\wRRc PdViqk.exe '" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 1432 cmdline:
schtasks.e xe /create /tn "wRRc PdViqk" /s c ONLOGON /tr "'C:\W indows\Med ia\Sonata\ wRRcPdViqk .exe'" /rl HIGHEST / f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 6756 cmdline:
schtasks.e xe /create /tn "wRRc PdViqkw" / sc MINUTE /mo 11 /tr "'C:\Wind ows\Media\ Sonata\wRR cPdViqk.ex e'" /rl HI GHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - cmd.exe (PID: 7152 cmdline:
"C:\Window s\System32 \cmd.exe" /C "C:\Use rs\user\Ap pData\Loca l\Temp\eE9 QbXcUOX.ba t" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 5448 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - w32tm.exe (PID: 6756 cmdline:
w32tm /str ipchart /c omputer:lo calhost /p eriod:5 /d ataonly /s amples:2 MD5: 81A82132737224D324A3E8DA993E2FB5) - wRRcPdViqk.exe (PID: 7252 cmdline:
"C:\Window s\Media\So nata\wRRcP dViqk.exe" MD5: 1A9C19CD373F9CE0642F18F6965521B3)
- wRRcPdViqk.exe (PID: 5696 cmdline:
C:\Windows \Media\Son ata\wRRcPd Viqk.exe MD5: 1A9C19CD373F9CE0642F18F6965521B3)
- wRRcPdViqk.exe (PID: 5104 cmdline:
C:\Windows \Media\Son ata\wRRcPd Viqk.exe MD5: 1A9C19CD373F9CE0642F18F6965521B3)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
DCRat | DCRat is a typical RAT that has been around since at least June 2019. | No Attribution |
{"SCRT": "{\"o\":\")\",\"L\":\"`\",\"t\":\" \",\"F\":\"_\",\"p\":\"!\",\"A\":\",\",\"w\":\"*\",\"5\":\"#\",\"l\":\"~\",\"H\":\"@\",\"Y\":\"|\",\"I\":\"%\",\"a\":\"<\",\"O\":\".\",\"m\":\";\",\"9\":\"&\",\"h\":\"-\",\"y\":\"^\",\"W\":\">\",\"T\":\"(\",\"i\":\"$\"}", "PCRT": "{\"l\":\"@\",\"V\":\"|\",\"Q\":\".\",\"0\":\"^\",\"X\":\",\",\"U\":\"!\",\"m\":\";\",\"8\":\"-\",\"z\":\"&\",\"B\":\"(\",\"J\":\"`\",\"Y\":\")\",\"1\":\"$\",\"w\":\"%\",\"n\":\"<\",\"d\":\"#\",\"N\":\"*\",\"K\":\"_\",\"h\":\">\",\"S\":\"~\",\"F\":\" \"}", "TAG": "", "MUTEX": "DCR_MUTEX-YA1pCSAA9lv2Umt03noS", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": false, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": false, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%UsersFolder% - Fast"}, "AS": true, "ASO": false, "AD": false, "H1": "http://a1009608.xsph.ru/@=MjZ2QmMzETM", "H2": "http://a1009608.xsph.ru/@=MjZ2QmMzETM", "T": "0"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
Click to see the 5 entries |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems), Tim Shelton: |
⊘No Snort rule has matched
Timestamp: | 2024-07-27T13:07:02.639541+0200 |
SID: | 2034194 |
Source Port: | 49730 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-07-27T13:07:19.875048+0200 |
SID: | 2022930 |
Source Port: | 443 |
Destination Port: | 49731 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-07-27T13:07:26.259809+0200 |
SID: | 2022930 |
Source Port: | 443 |
Destination Port: | 56108 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-07-27T13:07:27.325367+0200 |
SID: | 2022930 |
Source Port: | 443 |
Destination Port: | 56109 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Directory created: | Jump to behavior | ||
Source: | Directory created: | Jump to behavior |
Source: | Static PE information: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Networking |
---|
Source: | URLs: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | ASN Name: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |