Malware Analysis Report

2024-11-15 05:49

Sample ID 240513-x91b3sbg85
Target 19oa2h6ibyxkuece.exe
SHA256 96e667b3511fd706f966946c64f7764b26f26c93b5297b36d8a6961921fb6eaa
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

96e667b3511fd706f966946c64f7764b26f26c93b5297b36d8a6961921fb6eaa

Threat Level: Known bad

The file 19oa2h6ibyxkuece.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

Dcrat family

Process spawned unexpected child process

DCRat payload

DcRat

DCRat payload

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-13 19:33

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-13 19:33

Reported

2024-05-13 19:34

Platform

win11-20240426-en

Max time kernel

12s

Command Line

"C:\Users\Admin\AppData\Local\Temp\19oa2h6ibyxkuece.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\19oa2h6ibyxkuece.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4760 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\19oa2h6ibyxkuece.exe C:\Windows\SysWOW64\WScript.exe
PID 4760 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\19oa2h6ibyxkuece.exe C:\Windows\SysWOW64\WScript.exe
PID 4760 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\19oa2h6ibyxkuece.exe C:\Windows\SysWOW64\WScript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\19oa2h6ibyxkuece.exe

"C:\Users\Admin\AppData\Local\Temp\19oa2h6ibyxkuece.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\BrowserfontWininto\3dlXE8sYrHdS9t5pGyfBIdd4.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\BrowserfontWininto\O9huK39vJg2D.bat" "

C:\BrowserfontWininto\hyperagentsvc.exe

"C:\BrowserfontWininto\hyperagentsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\CrashReports\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\BrowserfontWininto\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\WindowsPowerShell\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Videos\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default\Videos\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\BrowserfontWininto\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\BrowserfontWininto\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Public\Libraries\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\sysmon.exe'" /rl HIGHEST /f

Network

N/A

Files

C:\BrowserfontWininto\3dlXE8sYrHdS9t5pGyfBIdd4.vbe

MD5 b8e2e37054ea4d38065ca952d6d84b44
SHA1 2e53e2f24a6a8980ffe933f07604dbd47f29e35d
SHA256 0098c79333600eb0a4121fd7c7a17e6c66ba8decad28dfd7a4b27be56b517cb2
SHA512 6f477a8a943f02afe5c3a7c2ba2c48a57ec2e8a4af029b9396b84e9eb84835a0a12e08c6aac9c128c2d243632f9a051d2b443a525b51ff5efa5d6f0bd29f2f47

C:\BrowserfontWininto\O9huK39vJg2D.bat

MD5 749eca6bd4b12b325159837abc0797b2
SHA1 837b704e4ec038468364c09df18d879164483c14
SHA256 255513dd588a6e344367c566daef338d25e68e6150481c5d345aeb2c4f099708
SHA512 1b34ff9fd39a1c631485ff26faa30a2dfc9a6cd773d016a4841ebd6776e77980ea71207f5ee608833b7e78798c7a47497cfb57336585f0d862973797aec49253

C:\BrowserfontWininto\hyperagentsvc.exe

MD5 764d2b855ffa643d2b4f69bb6bc616fa
SHA1 c519ec7f05277231cf5a6541525f398bedee0ebc
SHA256 a9dcf34f68612934c8bb265f6e679b52f7b92c64be84d6d96ef2d0cca0a50f87
SHA512 804d1bc07be9437cca40971d4d889dd86e5b732f47e73ac74fcef1e50d64c73aab2d8900f4bc4e5352be515d8396fd16ff969bc23f57ea259b8c4d62bc0a8967

memory/2840-12-0x00007FFDCFA93000-0x00007FFDCFA95000-memory.dmp

memory/2840-13-0x00000000000D0000-0x0000000000202000-memory.dmp

memory/2840-16-0x000000001AEC0000-0x000000001AED6000-memory.dmp

memory/2840-17-0x0000000000A80000-0x0000000000A8C000-memory.dmp

memory/2840-15-0x000000001B590000-0x000000001B5E0000-memory.dmp

memory/2840-14-0x0000000000A60000-0x0000000000A7C000-memory.dmp

C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe

MD5 dca1fab69bdcab1a75787e7c1ec1ec14
SHA1 2676f0ff21ab83b506eaa11dcf79cb3c99744320
SHA256 60b51783cb0a44b6397cf90145a24c8678b126ef740d56d8e8a8a17d59a9a6df
SHA512 bd184e3fb09c854de92c71a76725945c1fef11a1133ce28c3ee03006268a577b74168420ccbd153bda67e91d590c7202a1890f937ff013dc726dac37694adfa2

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-13 19:33

Reported

2024-05-13 19:34

Platform

debian12-armhf-20240221-en

Max time network

0s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-13 19:33

Reported

2024-05-13 19:34

Platform

ubuntu2004-amd64-20240508-en

Max time kernel

0s

Max time network

0s

Command Line

[/tmp/19oa2h6ibyxkuece.exe]

Signatures

N/A

Processes

/tmp/19oa2h6ibyxkuece.exe

[/tmp/19oa2h6ibyxkuece.exe]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A