File name:	SPOOFER.exe
Full analysis:	https://app.any.run/tasks/a1223c5f-06ef-4892-b1c8-3aff9e7ddc20
Verdict:	Malicious activity
Threats:	A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices. DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common. Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	December 28, 2023, 18:37:51
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	rat backdoor dcrat remote stealer quasar
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:	0C0DC0CF41E3C993AE5A22803275949A
SHA1:	E372DF2088DFA0695608A0ECF9B98C133ABCF8F6
SHA256:	18425DAE9F0A49097D0ABDD28EC465BFE2F4161B7849FB28494B8058A18EBCFC
SSDEEP:	49152:oXHWn7GGotieByewT9gG21ntArAfjm6miv/t61TRORHEuEu1kGNkLde+tMtl1vV5:cHWn7GN

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (62)
.exe	\|	Win64 Executable (generic) (23.3)
.dll	\|	Win32 Dynamic Link Library (generic) (5.5)
.exe	\|	Win32 Executable (generic) (3.8)
.exe	\|	Win16/32 Executable Delphi generic (1.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2012:10:08 01:50:07+02:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	8
CodeSize:	46592
InitializedDataSize:	109056
UninitializedDataSize:	-
EntryPoint:	0xd532
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
FileDescription:	exeBase
FileVersion:	1.0.0.0
InternalName:	exeBase.exe
LegalCopyright:	Copyright © 2012
OriginalFileName:	exeBase.exe
ProductName:	exeBase
ProductVersion:	1.0.0.0
AssemblyVersion:	1.0.0.0


(PID) Process:	(1476) SPOOFER.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(1476) SPOOFER.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(1476) SPOOFER.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(1476) SPOOFER.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(6096) SPOOFER.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(6096) SPOOFER.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(6096) SPOOFER.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(6096) SPOOFER.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(4288) HpsrSpoof.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(4288) HpsrSpoof.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1

PID	Process	Filename		Type
1476	SPOOFER.exe	C:\Users\admin\AppData\Local\Temp\SPOOFER.exe		executable
		MD5:38E709AC517D614B056920C080A7D894	SHA256:8F28BBF73966B57562935BBED85CE019EA10FD5A51373F302E4F7DA063E262F4
6096	SPOOFER.exe	C:\Users\admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe		executable
		MD5:79337964DB81CE4114B63D41FFB36AA9	SHA256:ADB779423182DF8DA466C195D7162F9A2DA10DBE0EB3221D82AB0A1D114A3ABB
1476	SPOOFER.exe	C:\Users\admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\SPOOFER.exe.log		text
		MD5:AA762D92527045449894D0DFABDABFAF	SHA256:FD0A42E4A7D074F4538795E147A72416B4DB4624C5D4A3AFBCAE45F821344C9A
6096	SPOOFER.exe	C:\Users\admin\AppData\Roaming\HpsrSpoof.exe		executable
		MD5:DD1313842898FFAF72D79DF643637DED	SHA256:81B27A565D2EB4701C404E03398A4BCA48480E592460121BF8EC62C5F4B061DF
1476	SPOOFER.exe	C:\Users\admin\AppData\Local\Temp\svchost.exe		executable
		MD5:1421378B1FA1B2BEC518C7B05C137359	SHA256:9536B587FA1B06BE4579CFB144CDB5D0EE43E265647A4D1E02205E0C845ED9D1
6096	SPOOFER.exe	C:\Users\admin\AppData\Roaming\conhost_sft.exe		executable
		MD5:006267C75739C9F4F2F9750322C74370	SHA256:749BB30A909B784EF397A84515B8A15CDCB0532052767B543122B72F9DC5B181
4288	HpsrSpoof.exe	C:\ProgramData\Microsoft\Windows\DevManView.chm		binary
		MD5:FCB3C9E1524CAFB62E98A4883C72E53D	SHA256:94D08A83B3B3509FA17860BCDDD6ED038BE29F3BD99251433E235111A8F381EC
5668	svchost.exe	C:\Users\admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log		binary
		MD5:AC99149068CF6DA41E1321136E1D39C2	SHA256:FE0AFFD2BD514A7A7C6523D8E3FA33561452BD6BD6DB754E711042377391B2E5
4288	HpsrSpoof.exe	C:\ProgramData\Microsoft\Windows\amide.sys		executable
		MD5:785045F8B25CD2E937DDC6B09DEBE01A	SHA256:37073E42FFA0322500F90CD7E3C8D02C4CDD695D31C77E81560ABEC20BFB68BA
4288	HpsrSpoof.exe	C:\ProgramData\Microsoft\Windows\DevManView.cfg		text
		MD5:43B37D0F48BAD1537A4DE59FFDA50FFE	SHA256:FC258DFB3E49BE04041AC24540EF544192C2E57300186F777F301D586F900288

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
208	WmiPrvSE.exe	POST	200	45.15.156.156:80	http://gaming7core.info/WindowsFlowerlongpoll/DatalifeMariadb0/9/RequestApi/videoJavascriptbigloaddefaultflowerDleCdn.php	unknown	binary	152 b	unknown
208	WmiPrvSE.exe	POST	200	45.15.156.156:80	http://gaming7core.info/WindowsFlowerlongpoll/DatalifeMariadb0/9/RequestApi/videoJavascriptbigloaddefaultflowerDleCdn.php	unknown	binary	152 b	unknown
208	WmiPrvSE.exe	POST	200	45.15.156.156:80	http://gaming7core.info/WindowsFlowerlongpoll/DatalifeMariadb0/9/RequestApi/videoJavascriptbigloaddefaultflowerDleCdn.php	unknown	binary	152 b	unknown
208	WmiPrvSE.exe	POST	200	45.15.156.156:80	http://gaming7core.info/WindowsFlowerlongpoll/DatalifeMariadb0/9/RequestApi/videoJavascriptbigloaddefaultflowerDleCdn.php	unknown	binary	152 b	unknown
208	WmiPrvSE.exe	POST	200	45.15.156.156:80	http://gaming7core.info/WindowsFlowerlongpoll/DatalifeMariadb0/9/RequestApi/videoJavascriptbigloaddefaultflowerDleCdn.php	unknown	binary	1.35 Kb	unknown
208	WmiPrvSE.exe	POST	200	45.15.156.156:80	http://gaming7core.info/WindowsFlowerlongpoll/DatalifeMariadb0/9/RequestApi/videoJavascriptbigloaddefaultflowerDleCdn.php	unknown	binary	152 b	unknown
208	WmiPrvSE.exe	POST	200	45.15.156.156:80	http://gaming7core.info/WindowsFlowerlongpoll/DatalifeMariadb0/9/RequestApi/videoJavascriptbigloaddefaultflowerDleCdn.php	unknown	text	4 b	unknown
208	WmiPrvSE.exe	POST	200	45.15.156.156:80	http://gaming7core.info/WindowsFlowerlongpoll/DatalifeMariadb0/9/RequestApi/videoJavascriptbigloaddefaultflowerDleCdn.php	unknown	binary	152 b	unknown
208	WmiPrvSE.exe	POST	200	45.15.156.156:80	http://gaming7core.info/WindowsFlowerlongpoll/DatalifeMariadb0/9/RequestApi/videoJavascriptbigloaddefaultflowerDleCdn.php	unknown	binary	152 b	unknown
208	WmiPrvSE.exe	POST	200	45.15.156.156:80	http://gaming7core.info/WindowsFlowerlongpoll/DatalifeMariadb0/9/RequestApi/videoJavascriptbigloaddefaultflowerDleCdn.php	unknown	binary	152 b	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.124.78.146:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
1676	svchost.exe	51.124.78.146:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1376	Client.exe	2.70.186.204:4822	brofisthej.ddns.net	Hi3G Access AB	SE	unknown
3720	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
208	WmiPrvSE.exe	172.67.34.170:443	pastebin.com	CLOUDFLARENET	US	unknown
208	WmiPrvSE.exe	45.15.156.156:80	gaming7core.info	Galaxy LLC	RU	unknown
2644	OfficeClickToRun.exe	20.189.173.12:443	self.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7044	SIHClient.exe	40.68.123.157:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
2908	svchost.exe	69.192.161.44:80	x1.c.lencr.org	AKAMAI-AS	DE	unknown
7044	SIHClient.exe	40.127.169.103:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown

Domain	IP	Reputation
brofisthej.ddns.net	2.70.186.204	malicious
pastebin.com	172.67.34.170 104.20.67.143 104.20.68.143	shared
gaming7core.info	45.15.156.156	unknown
self.events.data.microsoft.com	20.189.173.12	whitelisted
slscr.update.microsoft.com	40.68.123.157 40.127.169.103	whitelisted
x1.c.lencr.org	69.192.161.44	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
crl.microsoft.com	23.216.77.28 23.216.77.6	whitelisted
fe3cr.delivery.mp.microsoft.com	20.242.39.171	whitelisted

PID	Process	Class	Message
2136	svchost.exe	Potentially Bad Traffic	ET POLICY DNS Query to DynDNS Domain *.ddns .net
208	WmiPrvSE.exe	A Network Trojan was detected	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)
208	WmiPrvSE.exe	A Network Trojan was detected	REMOTE [ANY.RUN] DarkCrystal Rat Check-in (POST)
208	WmiPrvSE.exe	Misc activity	SUSPICIOUS [ANY.RUN] Possible DarkCrystal Rat Encrypted Connection
208	WmiPrvSE.exe	A Network Trojan was detected	REMOTE [ANY.RUN] DarkCrystal Rat Exfiltration (POST)
2136	svchost.exe	Potentially Bad Traffic	ET POLICY DNS Query to DynDNS Domain *.ddns .net
208	WmiPrvSE.exe	Misc activity	SUSPICIOUS [ANY.RUN] Possible DarkCrystal Rat Encrypted Connection
2136	svchost.exe	Potentially Bad Traffic	ET POLICY DNS Query to DynDNS Domain *.ddns .net
208	WmiPrvSE.exe	Misc activity	SUSPICIOUS [ANY.RUN] Possible DarkCrystal Rat Encrypted Connection
2136	svchost.exe	Potentially Bad Traffic	ET POLICY DNS Query to DynDNS Domain *.ddns .net

General Info

SPOOFER.exe

0C0DC0CF41E3C993AE5A22803275949A

E372DF2088DFA0695608A0ECF9B98C133ABCF8F6

18425DAE9F0A49097D0ABDD28EC465BFE2F4161B7849FB28494B8058A18EBCFC

49152:oXHWn7GGotieByewT9gG21ntArAfjm6miv/t61TRORHEuEu1kGNkLde+tMtl1vV5:cHWn7GN

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Adds path to the Windows Defender exclusion list

Adds extension to the Windows Defender exclusion list

Creates a writable file in the system directory

QUASAR has been detected (YARA)

Steals credentials from Web Browsers

DCRAT has been detected (YARA)

Actions looks like stealing of personal data

SUSPICIOUS

The process creates files with name similar to system file names

Reads the date of Windows installation

Drops a system driver (possible attempt to evade defenses)

Starts CMD.EXE for commands execution

Starts POWERSHELL.EXE for commands execution

BASE64 encoded PowerShell command has been detected

Base64-obfuscated command line is found

Script adds exclusion path to Windows Defender

Executing commands from a ".bat" file

Read disk information to detect sandboxing environments

Probably delay the execution using 'w32tm.exe'

Starts application with an unusual extension

Script adds exclusion extension to Windows Defender

Starts SC.EXE for service management

Uses powercfg.exe to modify the power settings

Loads DLL from Mozilla Firefox

INFO

Checks supported languages

Reads the machine GUID from the registry

Drops the executable file immediately after the start

Reads the computer name

Create files in a temporary directory

Reads Environment values

Creates files or folders in the user directory

Creates files in the program directory

Reads product name

Executed via WMI

Starts itself from another location

NirSoft software is detected

Connects to unusual port

Executes as Windows Service

Reads the software policy settings

Checks proxy server information

Connects to the CnC server

DCRAT has been detected (SURICATA)

The process executes via Task Scheduler

Malware configuration

Quasar

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules