Edit tour
Windows
Analysis Report
AstralprivateDLL.exe.bin.exe
Overview
General Information
| Sample name: | AstralprivateDLL.exe.bin.exe |
| Analysis ID: | 1590023 |
| MD5: | c9f4668c97eb480751e1bbf6173fc4e1 |
| SHA1: | 528deade2bc88cafc26f78f7c73490b66abdf370 |
| SHA256: | b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240 |
| Tags: | DCRatexeNyashTeamuser-MalHunter3 |
| Infos: |   |
 | |
Detection
DCRat, PureLog Stealer, Xmrig, zgRAT
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Sigma detected: Stop multiple services
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected Xmrig cryptocurrency miner
Yara detected zgRAT
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Connects to a pastebin service (likely for C&C)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Creates processes via WMI
Disable Task Manager(disabletaskmgr)
Disables the Windows task manager (taskmgr)
Drops PE files with benign system names
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs new ROOT certificates
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Stops critical windows services
Suspicious powershell command line found
Uses Register-ScheduledTask to add task schedules
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Entry point lies outside standard sections
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
AstralprivateDLL.exe.bin.exe (PID: 7116 cmdline: "C:\Users\ user\Deskt op\Astralp rivateDLL. exe.bin.ex e" MD5: C9F4668C97EB480751E1BBF6173FC4E1) - Astral private DLL.exe (PID: 5040 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\Astral private D LL.exe" MD5: C28FADCE847B20E2442ABA2F2F9F5699) 
wscript.exe (PID: 5216 cmdline: "C:\Window s\System32 \WScript.e xe" "C:\co ntainerper f\mtmIdTw4 RygS3trJMn WvLFqF6dzR pLwhZvwqEP qaKDGsnR5l ufKuCs3iyL .vbe" MD5: FF00E0480075B095948000BDC66E81F0) 
cmd.exe (PID: 6472 cmdline: C:\Windows \system32\ cmd.exe /c ""C:\cont ainerperf\ OHYKCXOXzF m1PCyBPS6u Xfmto4OWxv 9XE4FGIVj. bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6168 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
reg.exe (PID: 4960 cmdline: reg add HK CU\Softwar e\Microsof t\Windows\ CurrentVer sion\Polic ies\System /v Disabl eTaskMgr / t REG_DWOR D /d 1 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - ServerComponenthostMonitorDll.exe (PID: 6808 cmdline:
"C:\contai nerperf/Se rverCompon enthostMon itorDll.ex e" MD5: 01287AA2A0B5D2178CB13C477A04DC21) - csc.exe (PID: 2424 cmdline:
"C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\toes5w xx\toes5wx x.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66) - conhost.exe (PID: 1220 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cvtres.exe (PID: 4488 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RESF04D.tm p" "c:\Win dows\Syste m32\CSCC4E E3A8794047 10AD2E4883 A563BED.TM P" MD5: C877CBB966EA5939AA2A17B6A5160950) - twain_32.exe (PID: 4948 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\twain_ 32.exe" MD5: 1FF26B7D334CD22E726CAF72A4208B96) 
dialer.exe (PID: 1456 cmdline: C:\Windows \System32\ dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93) 
winlogon.exe (PID: 552 cmdline: winlogon.e xe MD5: F8B41A1B3E569E7E6F990567F21DCE97) - lsass.exe (PID: 628 cmdline:
C:\Windows \system32\ lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A) 
MpCmdRun.exe (PID: 1720 cmdline: "C:\Progra m Files\Wi ndows Defe nder\mpcmd run.exe" - wdenable MD5: B3676839B2EE96983F9ED735CD044159) - conhost.exe (PID: 3720 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 1720 cmdline:
schtasks.e xe /create /tn "lsas sl" /sc MI NUTE /mo 9 /tr "'C:\ containerp erf\lsass. exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - svchost.exe (PID: 920 cmdline:
C:\Windows \system32\ svchost.ex e -k DcomL aunch -p - s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - dwm.exe (PID: 988 cmdline:
"dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C) - svchost.exe (PID: 364 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s g psvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 356 cmdline:
C:\Windows \System32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 696 cmdline:
C:\Windows \System32\ svchost.ex e -k Local SystemNetw orkRestric ted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 592 cmdline:
C:\Windows \system32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s TimeBroke rSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1044 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s S chedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - Conhost.exe (PID: 9200 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - Conhost.exe (PID: 9548 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - Conhost.exe (PID: 9336 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - Conhost.exe (PID: 8604 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
powershell.exe (PID: 5800 cmdline: C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe Ad d-MpPrefer ence -Excl usionPath @($env:Use rProfile, $env:Progr amFiles) - Force MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 3492 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cmd.exe (PID: 648 cmdline:
C:\Windows \System32\ cmd.exe /c sc stop U soSvc & sc stop WaaS MedicSvc & sc stop w uauserv & sc stop bi ts & sc st op dosvc MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 4476 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 4924 cmdline:
sc stop Us oSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - sc.exe (PID: 1016 cmdline:
sc stop Wa aSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - sc.exe (PID: 2516 cmdline:
sc stop wu auserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - sc.exe (PID: 6520 cmdline:
sc stop bi ts MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - sc.exe (PID: 3272 cmdline:
sc stop do svc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
- cmd.exe (PID: 4108 cmdline:
C:\Windows \System32\ cmd.exe /c powercfg /x -hibern ate-timeou t-ac 0 & p owercfg /x -hibernat e-timeout- dc 0 & pow ercfg /x - standby-ti meout-ac 0 & powercf g /x -stan dby-timeou t-dc 0 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6420 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powercfg.exe (PID: 3492 cmdline:
powercfg / x -hiberna te-timeout -ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705) - powercfg.exe (PID: 1016 cmdline:
powercfg / x -hiberna te-timeout -dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705) - powercfg.exe (PID: 5812 cmdline:
powercfg / x -standby -timeout-a c 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705) - powercfg.exe (PID: 6064 cmdline:
powercfg / x -standby -timeout-d c 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
- powershell.exe (PID: 1460 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe <# amvyyojjq# > IF([Syst em.Environ ment]::OSV ersion.Ver sion -lt [ System.Ver sion]"6.2" ) { schtas ks /create /f /sc on logon /rl highest /r u 'System' /tn 'Goog leUpdateTa skMachineQ C' /tr ''' C:\Program Files\Goo gle\Chrome \updater.e xe''' } El se { Regis ter-Schedu ledTask -A ction (New -Scheduled TaskAction -Execute 'C:\Progra m Files\Go ogle\Chrom e\updater. exe') -Tri gger (New- ScheduledT askTrigger -AtStartu p) -Settin gs (New-Sc heduledTas kSettingsS et -AllowS tartIfOnBa tteries -D isallowHar dTerminate -DontStop IfGoingOnB atteries - DontStopOn IdleEnd -E xecutionTi meLimit (N ew-TimeSpa n -Days 10 00)) -Task Name 'Goog leUpdateTa skMachineQ C' -User ' System' -R unLevel 'H ighest' -F orce; } MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 1608 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| DCRat | DCRat is a typical RAT that has been around since at least June 2019. | No Attribution |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| xmrig | According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information. | No Attribution |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| zgRAT | zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on. | No Attribution |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_zgRAT_1 | Yara detected zgRAT | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_zgRAT_1 | Yara detected zgRAT | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_zgRAT_1 | Yara detected zgRAT | Joe Security | ||
| Click to see the 9 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_zgRAT_1 | Yara detected zgRAT | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_zgRAT_1 | Yara detected zgRAT | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_zgRAT_1 | Yara detected zgRAT | Joe Security | ||
| Click to see the 9 entries | ||||
Operating System Destruction |   |
|---|
| Source: | Author: Joe Security: | ||
System Summary | |
|---|
| Source: | Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Jonathan Cheong, oscd.community: | ||