File name: | MFCheat.rar |
Full analysis: | https://app.any.run/tasks/8f0d720a-0750-4b40-9113-3f2f0fe469ee |
Verdict: | Malicious activity |
Threats: | DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common. |
Analysis date: | May 30, 2020, 13:31:40 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | F528507F9AA6A213E4029FDE9C215755 |
SHA1: | A7C07B29DB8011C7C37422D5B90E623C9739E1A9 |
SHA256: | 9884A0159DF2C2A70324ADDFF7D764DF036485445B235A6BBE724E2855A218DE |
SSDEEP: | 49152:3ZqvOFH0Mlv5t2T4oVxkCITOQFMK2kWmSlOi8TraadmgekEa2tWHN+hC:bFvlBtw5VGztFTpWmcOi8Traad6a2tO |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2592 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\MFCheat.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2412 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\Rar$DIb2592.35266\pass.txt | C:\Windows\system32\NOTEPAD.EXE | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2476 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb2592.35959\MFCheat\MFCHEAT.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb2592.35959\MFCheat\MFCHEAT.exe | WinRAR.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1256 | "C:\Windows\System32\WScript.exe" "C:\media\AOgBis9dgs7mRQbhCLDbG8UURZv4qG.vbs" | C:\Windows\System32\WScript.exe | — | MFCHEAT.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3956 | cmd /c ""C:\media\ai0L27qAJjdumlx0CG00IDBTsmakju.bat" " | C:\Windows\System32\cmd.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2300 | 0EQ0hjjnRo5l5jBz0k1Y.exe -pdaff5951618c2bbb4744ae85d2391bcf1af37443 | C:\media\0EQ0hjjnRo5l5jBz0k1Y.exe | cmd.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2080 | "C:\Windows\System32\WScript.exe" "C:\media\System.vbe" | C:\Windows\System32\WScript.exe | — | 0EQ0hjjnRo5l5jBz0k1Y.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3156 | cmd /c ""C:\media\zFsrvFerbE6VofEpOdBJ7vIo4LYQLJ.bat" " | C:\Windows\System32\cmd.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1460 | "C:\media\mfcheat.exe" | C:\media\mfcheat.exe | — | cmd.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 0.0 | ||||
984 | "C:\Windows\System32\cmd.exe" /c "C:\media\mfcheat.exe" | C:\Windows\System32\cmd.exe | mfcheat.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2592 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIb2592.35266\pass.txt | text | |
MD5:C822C1B63853ED273B89687AC505F9FA | SHA256:BBDEFA2950F49882F295B1285D4FA9DEC45FC4144BFB07EE6ACC68762D12C2E3 | |||
2300 | 0EQ0hjjnRo5l5jBz0k1Y.exe | C:\media\vmcheck32.dll | text | |
MD5:9C7F8E5C2A98425B969557D8875268FA | SHA256:8A5F644C9C3CA6E9F72B20E6653BC68021D0583DF10A0E240BF5889B669AE240 | |||
2476 | MFCHEAT.exe | C:\media\ai0L27qAJjdumlx0CG00IDBTsmakju.bat | text | |
MD5:FEFEB359177154B89D52367272C8D79F | SHA256:74A1B2154FF284B98939DDAFFC299AA63CA5FE0FFB7A52DA45853B26F3A88A21 | |||
2300 | 0EQ0hjjnRo5l5jBz0k1Y.exe | C:\media\zFsrvFerbE6VofEpOdBJ7vIo4LYQLJ.bat | text | |
MD5:88A7B9465B594A027AD5D52682FC7227 | SHA256:11476772BC45EA15AC2D37D9E864D68A5B0541C90E468E5573F5371396C66C3D | |||
2476 | MFCHEAT.exe | C:\media\AOgBis9dgs7mRQbhCLDbG8UURZv4qG.vbs | text | |
MD5:527391B435920296D2470EFE9CCFB1E0 | SHA256:10C24A662D338EB37E7A7A8172CD28C94487D932ACB70F418B7C1149A0C5D1D7 | |||
2592 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb2592.35959\MFCheat\MFCHEAT.exe | executable | |
MD5:AB024AE52415C4FA1BBCCF485EB76D57 | SHA256:BB93107FE013DA77F5E973F8AFD97FA0DA174ED085FA7CF4CE0F6A2FA2BE5164 | |||
2476 | MFCHEAT.exe | C:\media\0EQ0hjjnRo5l5jBz0k1Y.exe | executable | |
MD5:EC101557C3C7DBFF498E665A50E09870 | SHA256:50884B68C7268278697A13F6F7DCAC835D567DC6E612F858230DB219604C413E | |||
2080 | WScript.exe | C:\media\System.lnk | lnk | |
MD5:8AD816A2228D9BF2B5E2731BFDEAAF3A | SHA256:A78FDA78037AEE24D6BE71072A8115FFD14AD56F161062F05C4205BE72FCC423 | |||
2300 | 0EQ0hjjnRo5l5jBz0k1Y.exe | C:\media\mfcheat.exe | executable | |
MD5:7DF85F5215C5A11C4E2AD007BD5B1571 | SHA256:D9381960FF3975D9E76A8D1BA5642C2AB7ABC16A7E8EC1AEDCA3D88C15175541 | |||
2592 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb2592.35959\pass.txt | text | |
MD5:C822C1B63853ED273B89687AC505F9FA | SHA256:BBDEFA2950F49882F295B1285D4FA9DEC45FC4144BFB07EE6ACC68762D12C2E3 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1452 | mfcheat.exe | GET | 200 | 216.239.34.21:80 | http://ipinfo.io/ip | US | text | 15 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1452 | mfcheat.exe | 216.239.34.21:80 | ipinfo.io | Google Inc. | US | whitelisted |
1452 | mfcheat.exe | 45.147.197.70:80 | zzqserver.xyz | — | — | malicious |
Domain | IP | Reputation |
---|---|---|
zzqserver.xyz |
| malicious |
ipinfo.io |
| shared |
PID | Process | Class | Message |
---|---|---|---|
1452 | mfcheat.exe | A Network Trojan was detected | ET TROJAN DCRat Initial CnC Activity |
1452 | mfcheat.exe | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |
1452 | mfcheat.exe | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |
1452 | mfcheat.exe | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |
1452 | mfcheat.exe | A Network Trojan was detected | ET TROJAN DCRat CnC Activity |
1452 | mfcheat.exe | A Network Trojan was detected | MALWARE [PTsecurity] DCRAT |
1452 | mfcheat.exe | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |
1452 | mfcheat.exe | A Network Trojan was detected | ET TROJAN DCRat CnC Activity |
1452 | mfcheat.exe | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |
1452 | mfcheat.exe | Potential Corporate Privacy Violation | ET POLICY Possible External IP Lookup ipinfo.io |