Edit tour
Windows
Analysis Report
adKGhCOOzg.exe
Overview
General Information
Sample name: | adKGhCOOzg.exerenamed because original name is a hash value |
Original sample name: | 3b5ae0315b4623a6bd2c711bc8b8e28f.exe |
Analysis ID: | 1520355 |
MD5: | 3b5ae0315b4623a6bd2c711bc8b8e28f |
SHA1: | ff99120c5150373aba0c519417fa4b545c70d4ca |
SHA256: | af20afbe249de8d37ecdae69670fdced02fdfbbfdf7a1f2810e7628b52e29e4c |
Tags: | DCRatexeuser-abuse_ch |
Infos: | |
Detection
DCRat
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DCRat
.NET source code contains potential unpacker
AI detected suspicious sample
Creates processes via WMI
Disable Task Manager(disabletaskmgr)
Disable UAC(promptonsecuredesktop)
Disables UAC (registry)
Disables the Windows task manager (taskmgr)
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara signature match
Classification
- System is w10x64
- adKGhCOOzg.exe (PID: 7456 cmdline:
"C:\Users\ user\Deskt op\adKGhCO Ozg.exe" MD5: 3B5AE0315B4623A6BD2C711BC8B8E28F) - wscript.exe (PID: 7540 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\po rtcontaine rRef\myQbM gAKm.vbe" MD5: FF00E0480075B095948000BDC66E81F0) - cmd.exe (PID: 7632 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\port containerR ef\J34SCTD enq2CEriZj kOuf.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7640 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - SurrogateContainerAgent.exe (PID: 7676 cmdline:
"C:\portco ntainerRef \Surrogate ContainerA gent.exe" MD5: 7AF97370DBD8A244A113783A7021E677) - schtasks.exe (PID: 8116 cmdline:
schtasks.e xe /create /tn "zTSh uhFeOCWKXC InUCSTgJmE z" /sc MIN UTE /mo 14 /tr "'C:\ portcontai nerRef\zTS huhFeOCWKX CInUCSTgJm E.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 8172 cmdline:
schtasks.e xe /create /tn "zTSh uhFeOCWKXC InUCSTgJmE " /sc ONLO GON /tr "' C:\portcon tainerRef\ zTShuhFeOC WKXCInUCST gJmE.exe'" /rl HIGHE ST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 7276 cmdline:
schtasks.e xe /create /tn "zTSh uhFeOCWKXC InUCSTgJmE z" /sc MIN UTE /mo 11 /tr "'C:\ portcontai nerRef\zTS huhFeOCWKX CInUCSTgJm E.exe'" /r l HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 1704 cmdline:
schtasks.e xe /create /tn "zTSh uhFeOCWKXC InUCSTgJmE z" /sc MIN UTE /mo 7 /tr "'C:\p ortcontain erRef\zTSh uhFeOCWKXC InUCSTgJmE .exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 1052 cmdline:
schtasks.e xe /create /tn "zTSh uhFeOCWKXC InUCSTgJmE " /sc ONLO GON /tr "' C:\portcon tainerRef\ zTShuhFeOC WKXCInUCST gJmE.exe'" /rl HIGHE ST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - schtasks.exe (PID: 728 cmdline:
schtasks.e xe /create /tn "zTSh uhFeOCWKXC InUCSTgJmE z" /sc MIN UTE /mo 5 /tr "'C:\p ortcontain erRef\zTSh uhFeOCWKXC InUCSTgJmE .exe'" /rl HIGHEST / f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - cmd.exe (PID: 1136 cmdline:
"C:\Window s\System32 \cmd.exe" /C "C:\Use rs\user\Ap pData\Loca l\Temp\sux lltqCa3.ba t" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 1020 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - w32tm.exe (PID: 7092 cmdline:
w32tm /str ipchart /c omputer:lo calhost /p eriod:5 /d ataonly /s amples:2 MD5: 81A82132737224D324A3E8DA993E2FB5) - zTShuhFeOCWKXCInUCSTgJmE.exe (PID: 1868 cmdline:
"C:\portco ntainerRef \zTShuhFeO CWKXCInUCS TgJmE.exe" MD5: 7AF97370DBD8A244A113783A7021E677) - reg.exe (PID: 7500 cmdline:
reg add HK CU\Softwar e\Microsof t\Windows\ CurrentVer sion\Polic ies\System /v Disabl eTaskMgr / t REG_DWOR D /d 1 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
- zTShuhFeOCWKXCInUCSTgJmE.exe (PID: 7108 cmdline:
C:\portcon tainerRef\ zTShuhFeOC WKXCInUCST gJmE.exe MD5: 7AF97370DBD8A244A113783A7021E677)
- zTShuhFeOCWKXCInUCSTgJmE.exe (PID: 2156 cmdline:
C:\portcon tainerRef\ zTShuhFeOC WKXCInUCST gJmE.exe MD5: 7AF97370DBD8A244A113783A7021E677) - wscript.exe (PID: 2552 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Loc al\Temp\d6 52d8e0-fd2 b-4425-99b d-1792324a 729f.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - zTShuhFeOCWKXCInUCSTgJmE.exe (PID: 5336 cmdline:
C:\portcon tainerRef\ zTShuhFeOC WKXCInUCST gJmE.exe MD5: 7AF97370DBD8A244A113783A7021E677) - wscript.exe (PID: 4944 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Loc al\Temp\a8 38f51f-260 8-4fa8-98f 2-8c025efe 4e1a.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - zTShuhFeOCWKXCInUCSTgJmE.exe (PID: 5376 cmdline:
C:\portcon tainerRef\ zTShuhFeOC WKXCInUCST gJmE.exe MD5: 7AF97370DBD8A244A113783A7021E677) - wscript.exe (PID: 352 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Loc al\Temp\91 745221-120 8-4818-918 5-e92567cf 8b4d.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - zTShuhFeOCWKXCInUCSTgJmE.exe (PID: 3420 cmdline:
C:\portcon tainerRef\ zTShuhFeOC WKXCInUCST gJmE.exe MD5: 7AF97370DBD8A244A113783A7021E677) - wscript.exe (PID: 1056 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Loc al\Temp\9e 72009f-739 b-4ea4-b50 5-4e802e14 614f.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - zTShuhFeOCWKXCInUCSTgJmE.exe (PID: 4460 cmdline:
C:\portcon tainerRef\ zTShuhFeOC WKXCInUCST gJmE.exe MD5: 7AF97370DBD8A244A113783A7021E677) - wscript.exe (PID: 8000 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Loc al\Temp\c1 de1a4a-c90 3-48ef-a3a c-c4f3ffa7 e9ae.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - zTShuhFeOCWKXCInUCSTgJmE.exe (PID: 3592 cmdline:
C:\portcon tainerRef\ zTShuhFeOC WKXCInUCST gJmE.exe MD5: 7AF97370DBD8A244A113783A7021E677) - wscript.exe (PID: 3896 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Loc al\Temp\01 cb5ea0-7f9 3-4a93-908 b-35247304 0093.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - wscript.exe (PID: 7792 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Loc al\Temp\c7 55c5ef-793 4-4641-b1a 5-88ef1309 86ad.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - wscript.exe (PID: 7000 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Loc al\Temp\1a ed32cf-2de 1-4530-92b 6-4347a499 f45a.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - wscript.exe (PID: 1816 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Loc al\Temp\86 36c2ce-b0e 0-4557-b01 c-75132397 eb84.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - wscript.exe (PID: 1132 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Loc al\Temp\56 07663c-c62 2-426c-855 c-ef5fb85d ae90.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - wscript.exe (PID: 7620 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Loc al\Temp\ed d106de-c4c 6-4bbc-b78 0-ae6716fb 30a7.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - wscript.exe (PID: 2624 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Loc al\Temp\f7 65102e-847 e-4ba7-8e6 9-2cfb40b3 5d1c.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
DCRat | DCRat is a typical RAT that has been around since at least June 2019. | No Attribution |
{"SCRT": "{\"A\":\"#\",\"L\":\"|\",\"N\":\"*\",\"I\":\".\",\"K\":\"&\",\"y\":\"-\",\"U\":\"_\",\"n\":\",\",\"R\":\"(\",\"M\":\")\",\"J\":\"@\",\"T\":\"<\",\"6\":\"%\",\"e\":\"$\",\"Z\":\"`\",\"X\":\";\",\"0\":\"^\",\"i\":\">\",\"F\":\"~\",\"C\":\" \",\"d\":\"!\"}", "PCRT": "{\"x\":\"(\",\"1\":\"|\",\"Z\":\"$\",\"Q\":\"%\",\"l\":\"&\",\"B\":\"<\",\"V\":\"@\",\"M\":\"`\",\"3\":\">\",\"U\":\"-\",\"i\":\"!\",\"K\":\",\",\"5\":\".\",\"k\":\" \",\"H\":\";\",\"a\":\"_\",\"E\":\"^\",\"0\":\"*\",\"F\":\"#\",\"r\":\"~\",\"L\":\")\"}", "TAG": "", "MUTEX": "DCR_MUTEX-3iI7MItHmWcowgxJeEuX", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
Click to see the 16 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
INDICATOR_SUSPICIOUS_References_SecTools_B64Encoded | Detects executables referencing many base64-encoded IR and analysis tools names | ditekSHen |
| |
INDICATOR_SUSPICIOUS_References_SecTools_B64Encoded | Detects executables referencing many base64-encoded IR and analysis tools names | ditekSHen |
| |
INDICATOR_SUSPICIOUS_References_SecTools_B64Encoded | Detects executables referencing many base64-encoded IR and analysis tools names | ditekSHen |
| |
INDICATOR_SUSPICIOUS_References_SecTools_B64Encoded | Detects executables referencing many base64-encoded IR and analysis tools names | ditekSHen |
| |
INDICATOR_SUSPICIOUS_References_SecTools_B64Encoded | Detects executables referencing many base64-encoded IR and analysis tools names | ditekSHen |
|
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: |
Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: |
Source: | Author: Michael Haag: |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-27T08:42:23.336887+0200 | 2034194 | 1 | A Network Trojan was detected | 192.168.2.9 | 49714 | 141.8.194.149 | 80 | TCP |
2024-09-27T08:42:44.758842+0200 | 2034194 | 1 | A Network Trojan was detected | 192.168.2.9 | 49715 | 141.8.194.149 | 80 | TCP |
2024-09-27T08:42:57.134633+0200 | 2034194 | 1 | A Network Trojan was detected | 192.168.2.9 | 49716 | 141.8.194.149 | 80 | TCP |
2024-09-27T08:43:21.620955+0200 | 2034194 | 1 | A Network Trojan was detected | 192.168.2.9 | 49718 | 141.8.194.149 | 80 | TCP |
2024-09-27T08:43:36.033260+0200 | 2034194 | 1 | A Network Trojan was detected | 192.168.2.9 | 49719 | 141.8.194.149 | 80 | TCP |
2024-09-27T08:43:53.823199+0200 | 2034194 | 1 | A Network Trojan was detected | 192.168.2.9 | 49720 | 141.8.194.149 | 80 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Code function: | 0_2_0034A5F4 | |
Source: | Code function: | 0_2_0035B8E0 | |
Source: | Code function: | 0_2_0036AAA8 |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | IP Address: |
Source: | ASN Name: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |