dcagentservice[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

dcagentservice.exe
Size

553KB
MD5

40a7ead53933d0ba48676907ccf2bf85
SHA1

6e5e7517f5d00bfba02334e208fe818f126c6620
SHA256

802641233ac1eeba7137129e7327ec3cb31567fd0a14436b5a39b01504cc9900
SHA512

830fdaebd7ea14678d03ebe9930ad98e65290ed7f244a433ca59230dd7db7db63f0c0e7e879cd108c0693791daa49de53e9ba098ef852eaf11d68f20ba14e959
SSDEEP

12288:3LM8I6g69Sj1epWObP+zagZKRwPPs23/StMwYyhnrj5jCvZ:3LMKg69gepbz+u4KosPOJyhnBWh

Score

1^/10

Malware Config

Signatures

Files

dcagentservice.exe
.zip

Password: India@2023@@
Device/HarddiskVolume3/Program Files (x86)/ManageEngine/UEMS_Agent/bin/dcagentservice.exe
.exe windows:5 windows x86 arch:x86

Password: India@2023@@

9d23713c29f0ba3f6b7171522f3cedcd

Code Sign

01:ee:5f:16:9d:ff:97:35:2b:64:65:d6:6a
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

19/09/2018, 00:00

Not After

28/01/2028, 12:00

Subject

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

78:03:18:42:45:70:8a:41:cf:6f:01:b8:ee:b4:a9:54
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Not Before

28/07/2020, 00:00

Not After

18/03/2029, 00:00

Subject

CN=GlobalSign Code Signing Root R45,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

77:bd:0e:03:a1:b7:08:f8:54:ab:06:72:10:d9:04:47
Certificate

Issuer

CN=GlobalSign Code Signing Root R45,O=GlobalSign nv-sa,C=BE

Not Before

28/07/2020, 00:00

Not After

28/07/2030, 00:00

Subject

CN=GlobalSign GCC R45 CodeSigning CA 2020,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

44:85:59:e8:d5:9f:e0:56:29:9e:6e:8f
Certificate

Issuer

CN=GlobalSign GCC R45 CodeSigning CA 2020,O=GlobalSign nv-sa,C=BE

Not Before

11/12/2023, 17:00

Not After

09/10/2026, 07:40

Subject

CN=ZOHO Corporation Private Limited,O=ZOHO Corporation Private Limited,L=Chennai,ST=Tamil Nadu,C=IN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

14/07/2023, 00:00

Not After

13/10/2034, 23:59

Subject

CN=DigiCert Timestamp 2023,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23/03/2022, 00:00

Not After

22/03/2037, 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/08/2022, 00:00

Not After

09/11/2031, 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

c6:99:75:c6:78:c6:ef:b9:19:70:fc:fd:b9:64:64:b9:c8:2e:91:b8:15:ef:db:c3:23:4d:d1:73:e8:4c:b9:26
Signer

Actual PE Digest

c6:99:75:c6:78:c6:ef:b9:19:70:fc:fd:b9:64:64:b9:c8:2e:91:b8:15:ef:db:c3:23:4d:d1:73:e8:4c:b9:26

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

d:\Webhost\16-08-2024\WindowsBuilds\DC_NATIVE\8912319\desktopcentral\CLOUD_PRODUCTION\SA_SRC\native\agent\Release\uemsagentservice.pdb

Imports

advapi32

RegOpenKeyExA
RegCreateKeyExA
RegDeleteKeyA
RegCloseKey
RegQueryValueExA
RegSetValueExA
RegQueryInfoKeyA
RevertToSelf
RegOpenCurrentUser
ImpersonateLoggedOnUser
RegOpenKeyExW
RegCreateKeyExW
RegEnumKeyExW
RegQueryValueExW
RegSetValueExW
CloseServiceHandle
CreateServiceW
OpenSCManagerW
DeleteService
OpenServiceW
SetServiceStatus
RegCreateKeyW
ChangeServiceConfigW
QueryServiceConfigW
StartServiceCtrlDispatcherW
CreateProcessAsUserW
LookupAccountSidW
GetTokenInformation
OpenProcessToken
RegisterServiceCtrlHandlerExW
RegNotifyChangeKeyValue
SetNamedSecurityInfoW
RegQueryInfoKeyW
RegEnumKeyW
LookupPrivilegeNameA
LookupPrivilegeValueA
CreateProcessAsUserA
LogonUserA
RegDeleteValueA
RegDeleteValueW
RegEnumKeyA
RegOpenKeyA
GetSidSubAuthority
GetSidSubAuthorityCount
GetSidIdentifierAuthority
IsValidSid
LookupAccountNameA
CryptDestroyKey
CryptReleaseContext
CryptGenKey
CryptGetUserKey
CryptAcquireContextA
ControlService
OpenServiceA
OpenSCManagerA
QueryServiceStatusEx
CryptDestroyHash
CryptHashData
CryptCreateHash
DeregisterEventSource
ReportEventA
RegisterEventSourceA
SetTokenInformation
DuplicateTokenEx
CryptGetHashParam
QueryServiceStatus
LookupAccountSidA

ole32

StringFromGUID2
CoInitializeEx
CoCreateInstance
CoUninitialize
CoSetProxyBlanket
CoInitializeSecurity

oleaut32

SysFreeString
SysAllocString
SysStringLen
SysAllocStringByteLen
VariantClear
VariantInit
SafeArrayGetUBound
SafeArrayGetLBound
SafeArrayAccessData

wtsapi32

WTSFreeMemory
WTSQuerySessionInformationA
WTSEnumerateSessionsA
WTSQuerySessionInformationW
WTSEnumerateSessionsW

psapi

GetModuleFileNameExW
EnumProcesses
EnumProcessModules
GetModuleBaseNameW

userenv

LoadUserProfileW
UnloadUserProfile
DestroyEnvironmentBlock
LoadUserProfileA
CreateEnvironmentBlock

wsock32

WSAStartup
WSAGetLastError
WSACleanup

netapi32

NetApiBufferFree
NetGetJoinInformation
NetWkstaUserGetInfo

crypt32

CertGetNameStringA
CertFindCertificateInStore
CryptMsgGetParam
CryptQueryObject
CertCloseStore
CertAddCertificateContextToStore
CertEnumCertificatesInStore
CertOpenStore
CryptStringToBinaryA
CertCreateCertificateContext
PFXImportCertStore
PFXVerifyPassword
CertDeleteCertificateFromStore
CertVerifyTimeValidity
CertNameToStrW
CertFreeCertificateContext

winhttp

WinHttpCloseHandle
WinHttpReceiveResponse
WinHttpQueryHeaders
WinHttpQueryDataAvailable
WinHttpSendRequest
WinHttpQueryOption
WinHttpAddRequestHeaders
WinHttpSetStatusCallback
WinHttpOpenRequest
WinHttpSetOption
WinHttpReadData
WinHttpWriteData
WinHttpOpen
WinHttpConnect

dclibxml2

xmlNewTextReaderFilename
xmlTextReaderDepth
xmlTextReaderValue
xmlTextReaderAttributeCount
xmlTextReaderName
xmlParseMemory
xmlNodeListGetString
xmlParseFile
xmlDocGetRootElement
xmlCleanupParser
xmlTextReaderRead
xmlFreeTextReader
xmlStrcmp
xmlFreeDoc
xmlTextReaderGetAttribute
xmlFree

setupapi

SetupDiDestroyDeviceInfoList
SetupDiEnumDeviceInterfaces
SetupDiGetDeviceInterfaceDetailW
SetupDiGetClassDevsW

shell32

SHCreateDirectoryExA
SHCreateDirectoryExW

shlwapi

PathIsDirectoryA
StrStrIW
PathFindExtensionA
PathFileExistsW
StrStrIA
StrTrimA

kernel32

DecodePointer
EncodePointer
InterlockedExchange
InterlockedCompareExchange
GetStringTypeW
GetProcessHeap
HeapSize
HeapReAlloc
HeapFree
HeapAlloc
HeapDestroy
GetLocaleInfoW
RaiseException
MoveFileExA
LocalLock
LocalUnlock
RtlUnwind
HeapSetInformation
PeekNamedPipe
GetTimeFormatA
GetDateFormatA
GetFileType
GetDriveTypeA
FindFirstFileExA
DeleteCriticalSection
DuplicateHandle
GetCPInfo
ExitThread
ExitProcess
GetCommandLineA
CompareStringW
LCMapStringW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetACP
GetOEMCP
IsValidCodePage
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
IsProcessorFeaturePresent
HeapCreate
SetHandleCount
GetStdHandle
GetStartupInfoW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetConsoleCP
GetConsoleMode
SetStdHandle
GetUserDefaultLCID
EnumSystemLocalesA
IsValidLocale
CreatePipe
WriteConsoleW
SetEndOfFile
VirtualQuery
SetEnvironmentVariableA
ResumeThread
SuspendThread
GetNativeSystemInfo
lstrcmpiA
GetVersion
lstrcmpW
DisconnectNamedPipe
CopyFileW
SizeofResource
LockResource
LoadResource
FindResourceW
FindResourceExW
GetProcAddress
GetModuleHandleA
lstrlenA
MultiByteToWideChar
GetLastError
LocalFree
LocalAlloc
WideCharToMultiByte
ReadFile
CloseHandle
GetFileSizeEx
CreateFileW
WriteFile
CreateDirectoryW
DeleteFileW
Sleep
CreateDirectoryA
GetModuleHandleW
InterlockedIncrement
GetModuleFileNameW
LoadLibraryW
CreateThread
Process32NextW
Process32FirstW
CreateToolhelp32Snapshot
SystemTimeToFileTime
GetCurrentProcess
TerminateProcess
OpenProcess
lstrlenW
FormatMessageW
CreateTimerQueueTimer
CreateTimerQueue
GetSystemTime
FreeConsole
GenerateConsoleCtrlEvent
GetExitCodeProcess
InterlockedDecrement
CreateFileA
WaitForSingleObject
CreateProcessW
GetCurrentProcessId
DeleteTimerQueue
GetCurrentThreadId
FileTimeToLocalFileTime
GetSystemTimeAsFileTime
SetEvent
OpenEventA
DeleteTimerQueueTimer
GetTickCount
CreateEventW
FreeLibrary
SetConsoleCtrlHandler
TerminateThread
DeviceIoControl
GetDriveTypeW
LeaveCriticalSection
InitializeCriticalSection
EnterCriticalSection
MapViewOfFile
CreateFileMappingW
UnmapViewOfFile
GetLocalTime
ReleaseMutex
WaitForMultipleObjects
CreateProcessA
SetCurrentDirectoryA
GetCurrentDirectoryA
Process32Next
ProcessIdToSessionId
Process32First
SetCurrentDirectoryW
SetFilePointer
LoadLibraryA
DeleteFileA
GetFileInformationByHandle
GetModuleFileNameA
ConnectNamedPipe
CreateNamedPipeA
SetLastError
GetCurrentDirectoryW
FileTimeToSystemTime
GetSystemDirectoryA
CopyFileA
FindClose
FindNextFileA
SystemTimeToTzSpecificLocalTime
FindFirstFileA
ExpandEnvironmentStringsA
GetSystemInfo
GetVersionExA
GetComputerNameExW
FormatMessageA
GetFileSize
SetDllDirectoryA
CreateMutexA
GetFileAttributesA
GetLocaleInfoA
GetTimeZoneInformation
FindNextFileW
FindFirstFileW
GetEnvironmentVariableW
GetFileAttributesExA
GetFullPathNameA
InitializeCriticalSectionAndSpinCount
QueryPerformanceCounter
FlushFileBuffers

user32

UnregisterDeviceNotification
wsprintfW
wsprintfA
RegisterDeviceNotificationW
MessageBoxA

odbc32

ord43
ord36
ord29
ord9
ord41
ord31
ord1
ord2
ord20
ord16
ord12
ord19
ord3
ord49
ord48
ord72
ord39
ord13
ord4
ord8
ord18
ord11
ord26

Sections

.text
Size: 873KB - Virtual size: 873KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 259KB - Virtual size: 259KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 52KB - Virtual size: 63KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 504B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 81KB - Virtual size: 80KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
manifest.json

Sharing

General

Malware Config

Signatures

Files

Password: India@2023@@

Password: India@2023@@

9d23713c29f0ba3f6b7171522f3cedcd

Code Sign

01:ee:5f:16:9d:ff:97:35:2b:64:65:d6:6aCertificate

Key Usages

78:03:18:42:45:70:8a:41:cf:6f:01:b8:ee:b4:a9:54Certificate

Extended Key Usages

Key Usages

77:bd:0e:03:a1:b7:08:f8:54:ab:06:72:10:d9:04:47Certificate

Extended Key Usages

Key Usages

44:85:59:e8:d5:9f:e0:56:29:9e:6e:8fCertificate

Extended Key Usages

Key Usages

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16Certificate

Extended Key Usages

Key Usages

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5bCertificate

Extended Key Usages

Key Usages

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5aCertificate

Key Usages

c6:99:75:c6:78:c6:ef:b9:19:70:fc:fd:b9:64:64:b9:c8:2e:91:b8:15:ef:db:c3:23:4d:d1:73:e8:4c:b9:26Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

ole32

oleaut32

wtsapi32

psapi

userenv

wsock32

netapi32

crypt32

winhttp

dclibxml2

setupapi

shell32

shlwapi

kernel32

user32

odbc32

Sections

.text Size: 873KB - Virtual size: 873KB

.rdata Size: 259KB - Virtual size: 259KB

.data Size: 52KB - Virtual size: 63KB

.rsrc Size: 512B - Virtual size: 504B

.reloc Size: 81KB - Virtual size: 80KB

01:ee:5f:16:9d:ff:97:35:2b:64:65:d6:6a
Certificate

78:03:18:42:45:70:8a:41:cf:6f:01:b8:ee:b4:a9:54
Certificate

77:bd:0e:03:a1:b7:08:f8:54:ab:06:72:10:d9:04:47
Certificate

44:85:59:e8:d5:9f:e0:56:29:9e:6e:8f
Certificate

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16
Certificate

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

c6:99:75:c6:78:c6:ef:b9:19:70:fc:fd:b9:64:64:b9:c8:2e:91:b8:15:ef:db:c3:23:4d:d1:73:e8:4c:b9:26
Signer

.text
Size: 873KB - Virtual size: 873KB

.rdata
Size: 259KB - Virtual size: 259KB

.data
Size: 52KB - Virtual size: 63KB

.rsrc
Size: 512B - Virtual size: 504B

.reloc
Size: 81KB - Virtual size: 80KB