Analysis Overview
SHA256
708f1bcec066db275b751c43a2b92fe54ea5f82e33c61b0114a249476a9ad8d6
Threat Level: Known bad
The file RakBot.exe_infected was found to be: Known bad.
Malicious Activity Summary
DcRat
Dcrat family
DCRat payload
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Checks computer location settings
Suspicious use of SetThreadContext
Drops file in Windows directory
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
System Network Configuration Discovery: Internet Connection Discovery
Enumerates physical storage devices
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-29 22:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-29 22:56
Reported
2024-10-29 22:58
Platform
win10v2004-20241007-en
Max time kernel
52s
Max time network
60s
Command Line
Signatures
DcRat
Dcrat family
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RakBot.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\1silCLmjJD.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\e5JLtOJeHx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1silCLmjJD.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3328 set thread context of 956 | N/A | C:\Users\Admin\AppData\Local\Temp\RakBot.exe | C:\Users\Admin\AppData\Local\Temp\RakBot.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\dotnet\swidtag\WmiPrvSE.exe | C:\Users\Admin\AppData\Roaming\1silCLmjJD.exe | N/A |
| File created | C:\Program Files\dotnet\swidtag\24dbde2999530e | C:\Users\Admin\AppData\Roaming\1silCLmjJD.exe | N/A |
| File created | C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe | C:\Users\Admin\AppData\Roaming\1silCLmjJD.exe | N/A |
| File created | C:\Program Files\Windows Security\BrowserCore\en-US\cc11b995f2a76d | C:\Users\Admin\AppData\Roaming\1silCLmjJD.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\fr-FR\6ccacd8608530f | C:\Users\Admin\AppData\Roaming\1silCLmjJD.exe | N/A |
| File created | C:\Windows\en-US\lsass.exe | C:\Users\Admin\AppData\Roaming\1silCLmjJD.exe | N/A |
| File created | C:\Windows\en-US\6203df4a6bafc7 | C:\Users\Admin\AppData\Roaming\1silCLmjJD.exe | N/A |
| File created | C:\Windows\fr-FR\Idle.exe | C:\Users\Admin\AppData\Roaming\1silCLmjJD.exe | N/A |
| File opened for modification | C:\Windows\fr-FR\Idle.exe | C:\Users\Admin\AppData\Roaming\1silCLmjJD.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RakBot.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RakBot.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\1silCLmjJD.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\1silCLmjJD.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\RakBot.exe
"C:\Users\Admin\AppData\Local\Temp\RakBot.exe"
C:\Users\Admin\AppData\Local\Temp\RakBot.exe
"C:\Users\Admin\AppData\Local\Temp\RakBot.exe"
C:\Users\Admin\AppData\Roaming\e5JLtOJeHx.exe
"C:\Users\Admin\AppData\Roaming\e5JLtOJeHx.exe"
C:\Users\Admin\AppData\Roaming\1silCLmjJD.exe
"C:\Users\Admin\AppData\Roaming\1silCLmjJD.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tcJ0BzVyVU.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| RU | 89.110.93.210:80 | 89.110.93.210 | tcp |
| RU | 89.110.93.210:80 | 89.110.93.210 | tcp |
| US | 8.8.8.8:53 | 210.93.110.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.190.18.2.in-addr.arpa | udp |
Files
memory/3328-0-0x0000000000275000-0x0000000000276000-memory.dmp
memory/956-4-0x0000000000400000-0x00000000004E6000-memory.dmp
memory/956-2-0x0000000000400000-0x00000000004E6000-memory.dmp
memory/956-3-0x0000000000400000-0x00000000004E6000-memory.dmp
memory/956-1-0x0000000000400000-0x00000000004E6000-memory.dmp
memory/956-5-0x0000000000160000-0x000000000027C000-memory.dmp
C:\Users\Admin\AppData\Roaming\e5JLtOJeHx.exe
| MD5 | f3edff85de5fd002692d54a04bcb1c09 |
| SHA1 | 4c844c5b0ee7cb230c9c28290d079143e00cb216 |
| SHA256 | caf29650446db3842e1c1e8e5e1bafadaf90fc82c5c37b9e2c75a089b7476131 |
| SHA512 | 531d920e2567f58e8169afc786637c1a0f7b9b5c27b27b5f0eddbfc3e00cecd7bea597e34061d836647c5f8c7757f2fe02952a9793344e21b39ddd4bf7985f9d |
C:\Users\Admin\AppData\Roaming\1silCLmjJD.exe
| MD5 | 1088e239e86c2316358d4e5b82810fa2 |
| SHA1 | 5a16e420b1aa52c4dcd9f0bced05a59e679997a5 |
| SHA256 | 0fa75c70f7304d35a4aed13dfe72793008610b429820ab8bc2ad45d3abd5e1b2 |
| SHA512 | 2b79a3aca00ab269d1d8a1874bc0ce3ab06d18aa8c0d1af363f54b569e16e3a0c0fbf88ca4e76f5db3e2302e7d7b20a59bf6c76295c96179ded03c71060ac073 |
memory/956-27-0x0000000000400000-0x00000000004E6000-memory.dmp
memory/1868-31-0x0000000000BD0000-0x0000000000C80000-memory.dmp
memory/1868-30-0x00007FFB5D373000-0x00007FFB5D375000-memory.dmp
memory/1868-32-0x00007FFB5D370000-0x00007FFB5DE31000-memory.dmp
memory/1868-34-0x0000000002DF0000-0x0000000002E0C000-memory.dmp
memory/1868-38-0x00007FFB5D370000-0x00007FFB5DE31000-memory.dmp
memory/1868-37-0x0000000002E10000-0x0000000002E28000-memory.dmp
memory/1868-35-0x0000000002FA0000-0x0000000002FF0000-memory.dmp
memory/1868-39-0x00007FFB5D370000-0x00007FFB5DE31000-memory.dmp
memory/1868-53-0x00007FFB5D370000-0x00007FFB5DE31000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tcJ0BzVyVU.bat
| MD5 | 21a9dbd94046fd0c7f7349f3312ea38b |
| SHA1 | 9228c97e5450f566aa15ae5a33a423951416f05d |
| SHA256 | 266b23056ece1e4e3fe806e2f56e435cc1c7e9d2f68e44748bd1e5bb5c606ef7 |
| SHA512 | fdb75c5442b72bf98bf2c277824ea91ad1ae5f90b45723a67761054fdb64d137c5464b1cad8a80969f2bc223e0476e42fbdc1f2f42ecb292f9cbfafa4c1ee754 |
memory/1868-57-0x00007FFB5D370000-0x00007FFB5DE31000-memory.dmp
memory/1912-63-0x000000001BCD0000-0x000000001BD3B000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-29 22:56
Reported
2024-10-29 22:58
Platform
win7-20241010-en
Max time kernel
51s
Max time network
66s
Command Line
Signatures
DcRat
Dcrat family
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\tvsAAll0AZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FUuTM4xKD1.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Defender\de-DE\lsass.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RakBot.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RakBot.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2528 set thread context of 1692 | N/A | C:\Users\Admin\AppData\Local\Temp\RakBot.exe | C:\Users\Admin\AppData\Local\Temp\RakBot.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Windows Defender\System.exe | C:\Users\Admin\AppData\Roaming\FUuTM4xKD1.exe | N/A |
| File created | C:\Program Files\Windows Defender\27d1bcfc3c54e0 | C:\Users\Admin\AppData\Roaming\FUuTM4xKD1.exe | N/A |
| File created | C:\Program Files\Windows Defender\de-DE\lsass.exe | C:\Users\Admin\AppData\Roaming\FUuTM4xKD1.exe | N/A |
| File created | C:\Program Files\Windows Defender\de-DE\6203df4a6bafc7 | C:\Users\Admin\AppData\Roaming\FUuTM4xKD1.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RakBot.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RakBot.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\FUuTM4xKD1.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Windows Defender\de-DE\lsass.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\RakBot.exe
"C:\Users\Admin\AppData\Local\Temp\RakBot.exe"
C:\Users\Admin\AppData\Local\Temp\RakBot.exe
"C:\Users\Admin\AppData\Local\Temp\RakBot.exe"
C:\Users\Admin\AppData\Roaming\tvsAAll0AZ.exe
"C:\Users\Admin\AppData\Roaming\tvsAAll0AZ.exe"
C:\Users\Admin\AppData\Roaming\FUuTM4xKD1.exe
"C:\Users\Admin\AppData\Roaming\FUuTM4xKD1.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mYkkPZWoAf.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Program Files\Windows Defender\de-DE\lsass.exe
"C:\Program Files\Windows Defender\de-DE\lsass.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 89.110.93.210:80 | 89.110.93.210 | tcp |
| RU | 89.110.93.210:80 | 89.110.93.210 | tcp |
Files
memory/2528-0-0x0000000000C35000-0x0000000000C36000-memory.dmp
memory/1692-4-0x0000000000400000-0x00000000004E6000-memory.dmp
memory/1692-5-0x0000000000400000-0x00000000004E6000-memory.dmp
memory/1692-6-0x0000000000400000-0x00000000004E6000-memory.dmp
memory/1692-9-0x0000000000400000-0x00000000004E6000-memory.dmp
memory/1692-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1692-2-0x0000000000400000-0x00000000004E6000-memory.dmp
memory/1692-1-0x0000000000400000-0x00000000004E6000-memory.dmp
memory/1692-12-0x0000000000400000-0x00000000004E6000-memory.dmp
memory/1692-13-0x0000000000B20000-0x0000000000C3C000-memory.dmp
memory/1692-11-0x0000000000400000-0x00000000004E6000-memory.dmp
memory/1692-3-0x0000000000400000-0x00000000004E6000-memory.dmp
C:\Users\Admin\AppData\Roaming\tvsAAll0AZ.exe
| MD5 | f3edff85de5fd002692d54a04bcb1c09 |
| SHA1 | 4c844c5b0ee7cb230c9c28290d079143e00cb216 |
| SHA256 | caf29650446db3842e1c1e8e5e1bafadaf90fc82c5c37b9e2c75a089b7476131 |
| SHA512 | 531d920e2567f58e8169afc786637c1a0f7b9b5c27b27b5f0eddbfc3e00cecd7bea597e34061d836647c5f8c7757f2fe02952a9793344e21b39ddd4bf7985f9d |
C:\Users\Admin\AppData\Roaming\FUuTM4xKD1.exe
| MD5 | 1088e239e86c2316358d4e5b82810fa2 |
| SHA1 | 5a16e420b1aa52c4dcd9f0bced05a59e679997a5 |
| SHA256 | 0fa75c70f7304d35a4aed13dfe72793008610b429820ab8bc2ad45d3abd5e1b2 |
| SHA512 | 2b79a3aca00ab269d1d8a1874bc0ce3ab06d18aa8c0d1af363f54b569e16e3a0c0fbf88ca4e76f5db3e2302e7d7b20a59bf6c76295c96179ded03c71060ac073 |
memory/1692-25-0x0000000000400000-0x00000000004E6000-memory.dmp
memory/1500-28-0x000007FEF6133000-0x000007FEF6134000-memory.dmp
memory/1500-29-0x00000000008A0000-0x0000000000950000-memory.dmp
memory/1500-30-0x000007FEF6130000-0x000007FEF6B1C000-memory.dmp
memory/1500-32-0x0000000000410000-0x000000000042C000-memory.dmp
memory/1500-34-0x0000000000430000-0x0000000000448000-memory.dmp
memory/1500-35-0x000007FEF6130000-0x000007FEF6B1C000-memory.dmp
memory/1500-36-0x000007FEF6130000-0x000007FEF6B1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mYkkPZWoAf.bat
| MD5 | 1aed6093e34b14abd074607f16df95e6 |
| SHA1 | 6d31ea34b4d93a4b79a7c9fbd6f78a38face0309 |
| SHA256 | 944112ded33b8b2916cbd3e5ca4f92e615d89b21fce527c192ecfd304a7714bf |
| SHA512 | cc7fb9b32f007f702c9495b996453b09b4f9f2687257557392b43d6ac70df4ad9a6bfbcf54bd86c56a975903075e9a43681a977f656781b67f49591e4298a846 |
memory/1500-52-0x000007FEF6130000-0x000007FEF6B1C000-memory.dmp
memory/2456-55-0x0000000000130000-0x00000000001E0000-memory.dmp