Edit tour
Windows
Analysis Report
wxl1r0lntg.exe
Overview
General Information
| Sample name: | wxl1r0lntg.exerenamed because original name is a hash value |
| Original sample name: | 55672946ffc3fa0b0c7670bf37d45225.exe |
| Analysis ID: | 1586066 |
| MD5: | 55672946ffc3fa0b0c7670bf37d45225 |
| SHA1: | 669cba1aad9659aeff1a94b584b0e7ad3acb7c79 |
| SHA256: | 386878a415d3edac8530e3b99769b40759bd105e3758b2c68887440e8890ee55 |
| Tags: | DCRatexeuser-abuse_ch |
| Infos: |   |
 | |
Detection
DCRat, PureLog Stealer, zgRAT
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains suspicious base64 encoded strings
.NET source code contains very large strings
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Disable Task Manager(disabletaskmgr)
Disables the Windows task manager (taskmgr)
Drops executables to the windows directory (C:\Windows) and starts them
Infects executable files (exe, dll, sys, html)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: System File Execution Location Anomaly
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Tries to harvest and steal browser information (history, passwords, etc)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to get notified if a device is plugged in / out
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: New Custom Shim Database Created
Sigma detected: Powershell Defender Exclusion
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
wxl1r0lntg.exe (PID: 6156 cmdline: "C:\Users\ user\Deskt op\wxl1r0l ntg.exe" MD5: 55672946FFC3FA0B0C7670BF37D45225) 
sqls211.exe (PID: 1084 cmdline: "C:\Users\ user\AppDa ta\Local\T emp\sqls21 1.exe" MD5: A79959F25EDA4401D0F5E7B370D6C613) 
wscript.exe (PID: 4144 cmdline: "C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\surro gateDriver intoSessio nNet\2zt0n 56bOhbwB2K zszETxYw2R uinHOyyQib CEaRYFawep zaxIU2GKt. vbe" MD5: FF00E0480075B095948000BDC66E81F0) 
cmd.exe (PID: 1576 cmdline: C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Roami ng\surroga teDriverin toSessionN et\2PE3PxT rTQg.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 1292 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - reg.exe (PID: 5020 cmdline:
reg add HK CU\Softwar e\Microsof t\Windows\ CurrentVer sion\Polic ies\System /v Disabl eTaskMgr / t REG_DWOR D /d 1 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - containerwebruntime.exe (PID: 2300 cmdline:
"C:\Users\ user\AppDa ta\Roaming \surrogate Driverinto SessionNet /container webruntime .exe" MD5: 77967721CE1C8B3F0EB800BD33527897) - csc.exe (PID: 4696 cmdline:
"C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\xwmh3i v5\xwmh3iv 5.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66) - conhost.exe (PID: 2172 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cvtres.exe (PID: 6464 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RESAD56.tm p" "c:\Pro gram Files (x86)\Mic rosoft\Edg e\Applicat ion\CSCCB6 1929627DF4 40F9E17C54 9CE99168.T MP" MD5: C877CBB966EA5939AA2A17B6A5160950) - csc.exe (PID: 3552 cmdline:
"C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\dcil42 4w\dcil424 w.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66) - conhost.exe (PID: 1680 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cvtres.exe (PID: 1888 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RESAFE6.tm p" "c:\Win dows\Syste m32\CSCE2A 537B396184 41DAC64E34 137FF17.TM P" MD5: C877CBB966EA5939AA2A17B6A5160950) - csc.exe (PID: 1672 cmdline:
"C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\pgfcrw pp\pgfcrwp p.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66) - conhost.exe (PID: 5604 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cvtres.exe (PID: 1812 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RESB66E.tm p" "c:\Pro gram Files \Everythin g\CSCA1704 6CBF8B64A1 88168A4AB3 80809F.TMP " MD5: C877CBB966EA5939AA2A17B6A5160950) 
powershell.exe (PID: 3868 cmdline: "powershel l" -Comman d Add-MpPr eference - ExclusionP ath 'C:/' MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 5084 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
WmiPrvSE.exe (PID: 7612 cmdline: C:\Windows \system32\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51) - powershell.exe (PID: 6584 cmdline:
"powershel l" -Comman d Add-MpPr eference - ExclusionP ath 'C:/$R ecycle.Bin /' MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7100 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 432 cmdline:
"powershel l" -Comman d Add-MpPr eference - ExclusionP ath 'C:/$W inREAgent/ ' MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 6204 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 3856 cmdline:
"powershel l" -Comman d Add-MpPr eference - ExclusionP ath 'C:/Do cuments an d Settings /' MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 1120 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 2072 cmdline:
"powershel l" -Comman d Add-MpPr eference - ExclusionP ath 'C:/Pe rfLogs/' MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 3364 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 5776 cmdline:
"powershel l" -Comman d Add-MpPr eference - ExclusionP ath 'C:/Pr ogram File s/' MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 6720 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 6360 cmdline:
"powershel l" -Comman d Add-MpPr eference - ExclusionP ath 'C:/Pr ogram File s (x86)/' MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7156 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 5800 cmdline:
"powershel l" -Comman d Add-MpPr eference - ExclusionP ath 'C:/Pr ogramData/ ' MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 1900 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7160 cmdline:
"powershel l" -Comman d Add-MpPr eference - ExclusionP ath 'C:/Re covery/' MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 616 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 6476 cmdline:
"powershel l" -Comman d Add-MpPr eference - ExclusionP ath 'C:/Sy stem Volum e Informat ion/' MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 2360 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 1732 cmdline:
"powershel l" -Comman d Add-MpPr eference - ExclusionP ath 'C:/Us ers/' MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 2128 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 3720 cmdline:
"powershel l" -Comman d Add-MpPr eference - ExclusionP ath 'C:/Wi ndows/' MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 1372 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 1124 cmdline:
"powershel l" -Comman d Add-MpPr eference - ExclusionP ath 'C:\Wi ndows\CbsT emp\KocFkU IHAfhPoyuB QDEUMiWWSP Cixy.exe' MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 5964 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 4408 cmdline:
"powershel l" -Comman d Add-MpPr eference - ExclusionP ath 'C:\Pr ogram File s (x86)\wi ndows nt\K ocFkUIHAfh PoyuBQDEUM iWWSPCixy. exe' MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 2232 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 5668 cmdline:
"powershel l" -Comman d Add-MpPr eference - ExclusionP ath 'C:\Wi ndows\appp atch\Custo mSDB\sihos t.exe' MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 5348 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 5528 cmdline:
"powershel l" -Comman d Add-MpPr eference - ExclusionP ath 'C:\Re covery\Run timeBroker .exe' MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 5576 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 5228 cmdline:
"powershel l" -Comman d Add-MpPr eference - ExclusionP ath 'C:\Wi ndows\BitL ockerDisco veryVolume Contents\K ocFkUIHAfh PoyuBQDEUM iWWSPCixy. exe' MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 4788 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 1532 cmdline:
"powershel l" -Comman d Add-MpPr eference - ExclusionP ath 'C:\Us ers\user\A ppData\Roa ming\surro gateDriver intoSessio nNet\conta inerwebrun time.exe' MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 1672 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7752 cmdline:
"C:\Window s\System32 \cmd.exe" /C "C:\Use rs\user\Ap pData\Loca l\Temp\KDh udFNWvk.ba t" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7860 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - chcp.com (PID: 8396 cmdline:
chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32) - w32tm.exe (PID: 8760 cmdline:
w32tm /str ipchart /c omputer:lo calhost /p eriod:5 /d ataonly /s amples:2 MD5: 81A82132737224D324A3E8DA993E2FB5) - KocFkUIHAfhPoyuBQDEUMiWWSPCixy.exe (PID: 9188 cmdline:
"C:\Progra m Files (x 86)\window s nt\KocFk UIHAfhPoyu BQDEUMiWWS PCixy.exe" MD5: 77967721CE1C8B3F0EB800BD33527897) 
drivEn760.exe (PID: 4788 cmdline: "C:\Users\ user\AppDa ta\Local\T emp\drivEn 760.exe" MD5: 5036E609163E98F3AC06D5E82B677DF8) - Everything.exe (PID: 6576 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\nss476 A.tmp\Ever ything\Eve rything.ex e" -instal l "C:\Prog ram Files\ Everything " -install -options " -app-data -install- run-on-sys tem-startu p -install -service - disable-ru n-as-admin -uninstal l-folder-c ontext-men u -install -start-men u-shortcut s -install -desktop-s hortcut -u ninstall-u rl-protoco l -install -efu-assoc iation -in stall-lang uage 1033 -save-inst all-option s 0" MD5: 0170601E27117E9639851A969240B959) - Everything.exe (PID: 5840 cmdline:
"C:\Progra m Files\Ev erything\E verything. exe" -app- data -inst all-run-on -system-st artup -ins tall-servi ce -disabl e-run-as-a dmin -unin stall-fold er-context -menu -ins tall-start -menu-shor tcuts -ins tall-deskt op-shortcu t -uninsta ll-url-pro tocol -ins tall-efu-a ssociation -install- language 1 033 -save- install-op tions 0 MD5: 0170601E27117E9639851A969240B959) - Everything.exe (PID: 5456 cmdline:
"C:\Progra m Files\Ev erything\E verything. exe" -disa ble-update -notificat ion -unins tall-quick -launch-sh ortcut -no -choose-vo lumes -lan guage 1033 MD5: 0170601E27117E9639851A969240B959) - Everything.exe (PID: 2504 cmdline:
"C:\Progra m Files\Ev erything\E verything. exe" MD5: 0170601E27117E9639851A969240B959)
- Everything.exe (PID: 2520 cmdline:
"C:\Progra m Files\Ev erything\E verything. exe" -svc MD5: 0170601E27117E9639851A969240B959)
- Everything.exe (PID: 7868 cmdline:
"C:\Progra m Files\Ev erything\E verything. exe" -star tup MD5: 0E5995C0475E4E57F7A6B3FA6E790ABD) - KocFkUIHAfhPoyuBQDEUMiWWSPCixy.exe (PID: 8200 cmdline:
"C:\Window s\CbsTemp\ KocFkUIHAf hPoyuBQDEU MiWWSPCixy .exe" MD5: 77967721CE1C8B3F0EB800BD33527897) - Everything.exe.exe (PID: 8220 cmdline:
"C:\Progra m Files\Ev erything\E verything. exe.exe" - startup MD5: 0170601E27117E9639851A969240B959)
- KocFkUIHAfhPoyuBQDEUMiWWSPCixy.exe (PID: 8980 cmdline:
"C:\Window s\BitLocke rDiscovery VolumeCont ents\KocFk UIHAfhPoyu BQDEUMiWWS PCixy.exe" MD5: 77967721CE1C8B3F0EB800BD33527897)
- svchost.exe (PID: 8584 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- sihost.exe (PID: 9088 cmdline:
"C:\Window s\apppatch \CustomSDB \sihost.ex e" MD5: 77967721CE1C8B3F0EB800BD33527897)
- containerwebruntime.exe (PID: 6348 cmdline:
"C:\Users\ user\AppDa ta\Roaming \surrogate Driverinto SessionNet \container webruntime .exe" MD5: 77967721CE1C8B3F0EB800BD33527897)
- KocFkUIHAfhPoyuBQDEUMiWWSPCixy.exe (PID: 6640 cmdline:
"C:\Window s\CbsTemp\ KocFkUIHAf hPoyuBQDEU MiWWSPCixy .exe" MD5: 77967721CE1C8B3F0EB800BD33527897)
- KocFkUIHAfhPoyuBQDEUMiWWSPCixy.exe (PID: 6820 cmdline:
"C:\Progra m Files (x 86)\window s nt\KocFk UIHAfhPoyu BQDEUMiWWS PCixy.exe" MD5: 77967721CE1C8B3F0EB800BD33527897)
- sihost.exe (PID: 9120 cmdline:
"C:\Window s\apppatch \CustomSDB \sihost.ex e" MD5: 77967721CE1C8B3F0EB800BD33527897)
- KocFkUIHAfhPoyuBQDEUMiWWSPCixy.exe (PID: 1880 cmdline:
"C:\Window s\BitLocke rDiscovery VolumeCont ents\KocFk UIHAfhPoyu BQDEUMiWWS PCixy.exe" MD5: 77967721CE1C8B3F0EB800BD33527897)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| DCRat | DCRat is a typical RAT that has been around since at least June 2019. | No Attribution |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| zgRAT | zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on. | No Attribution |
{"C2 url": "http://838596cm.nyafka.top/lineLongpolllinuxFlowercentraluploads", "MUTEX": "DCR_MUTEX-D9v2NJXg7O8XLMbKG3IO", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_zgRAT_1 | Yara detected zgRAT | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_zgRAT_1 | Yara detected zgRAT | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| Click to see the 9 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| Click to see the 1 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_zgRAT_1 | Yara detected zgRAT | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_zgRAT_1 | Yara detected zgRAT | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_zgRAT_1 | Yara detected zgRAT | Joe Security | ||
| Click to see the 9 entries | ||||
System Summary |   |
|---|
| Source: | Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: | ||
| Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: | ||
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): | ||
| Source: | Author: frack113, Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Michael Haag: | ||
| Source: | Author: frack113: | ||
| Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): | ||
| Source: | Author: vburov: | ||
Data Obfuscation | |
|---|
| Source: | Author: Joe Security: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-08T17:12:56.629250+0100 | 2048095 | 1 | A Network Trojan was detected | 192.168.2.5 | 49853 | 104.21.112.1 | 80 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Static PE information: | ||
| Source: | Window detected: | ||