analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

MFCheat.rar

Full analysis: https://app.any.run/tasks/8f0d720a-0750-4b40-9113-3f2f0fe469ee
Verdict: Malicious activity
Threats:

DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common.

Malware Trends Tracker     >>>
Analysis date: May 30, 2020, 13:31:40
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
rat
backdoor
dcrat
evasion
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

F528507F9AA6A213E4029FDE9C215755

SHA1:

A7C07B29DB8011C7C37422D5B90E623C9739E1A9

SHA256:

9884A0159DF2C2A70324ADDFF7D764DF036485445B235A6BBE724E2855A218DE

SSDEEP:

49152:3ZqvOFH0Mlv5t2T4oVxkCITOQFMK2kWmSlOi8TraadmgekEa2tWHN+hC:bFvlBtw5VGztFTpWmcOi8Traad6a2tO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • MFCHEAT.exe (PID: 2476)
      • 0EQ0hjjnRo5l5jBz0k1Y.exe (PID: 2300)
      • mfcheat.exe (PID: 1460)
      • mfcheat.exe (PID: 1452)

    • Writes to a start menu file

      • cmd.exe (PID: 3156)

    • Loads the Task Scheduler COM API

      • mfcheat.exe (PID: 1452)

    • DCRAT was detected

      • mfcheat.exe (PID: 1452)

    • Connects to CnC server

      • mfcheat.exe (PID: 1452)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2592)
      • MFCHEAT.exe (PID: 2476)
      • 0EQ0hjjnRo5l5jBz0k1Y.exe (PID: 2300)

    • Executes scripts

      • MFCHEAT.exe (PID: 2476)
      • 0EQ0hjjnRo5l5jBz0k1Y.exe (PID: 2300)

    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 1256)
      • WScript.exe (PID: 2080)
      • mfcheat.exe (PID: 1460)

    • Creates files in the user directory

      • cmd.exe (PID: 3156)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 3156)

    • Reads Environment values

      • mfcheat.exe (PID: 1452)

    • Checks for external IP

      • mfcheat.exe (PID: 1452)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
53
Monitored processes
12
Malicious processes
7
Suspicious processes
3

Behavior graph

Click at the process to see the details
drop and start start winrar.exe notepad.exe no specs mfcheat.exe wscript.exe no specs cmd.exe no specs 0eq0hjjnro5l5jbz0k1y.exe wscript.exe no specs cmd.exe mfcheat.exe no specs cmd.exe reg.exe no specs #DCRAT mfcheat.exe

Process information

PID
CMD
Path
Indicators
Parent process
2592"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\MFCheat.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2412"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\Rar$DIb2592.35266\pass.txtC:\Windows\system32\NOTEPAD.EXEWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2476"C:\Users\admin\AppData\Local\Temp\Rar$EXb2592.35959\MFCheat\MFCHEAT.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb2592.35959\MFCheat\MFCHEAT.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1256"C:\Windows\System32\WScript.exe" "C:\media\AOgBis9dgs7mRQbhCLDbG8UURZv4qG.vbs" C:\Windows\System32\WScript.exeMFCHEAT.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3956cmd /c ""C:\media\ai0L27qAJjdumlx0CG00IDBTsmakju.bat" "C:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
23000EQ0hjjnRo5l5jBz0k1Y.exe -pdaff5951618c2bbb4744ae85d2391bcf1af37443C:\media\0EQ0hjjnRo5l5jBz0k1Y.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2080"C:\Windows\System32\WScript.exe" "C:\media\System.vbe" C:\Windows\System32\WScript.exe0EQ0hjjnRo5l5jBz0k1Y.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3156cmd /c ""C:\media\zFsrvFerbE6VofEpOdBJ7vIo4LYQLJ.bat" "C:\Windows\System32\cmd.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1460"C:\media\mfcheat.exe" C:\media\mfcheat.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
0.0
984"C:\Windows\System32\cmd.exe" /c "C:\media\mfcheat.exe"C:\Windows\System32\cmd.exe
mfcheat.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
986
Read events
934
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
0
Text files
6
Unknown types
3

Dropped files

PID
Process
Filename
Type
2592WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb2592.35266\pass.txttext
MD5:C822C1B63853ED273B89687AC505F9FA
SHA256:BBDEFA2950F49882F295B1285D4FA9DEC45FC4144BFB07EE6ACC68762D12C2E3
23000EQ0hjjnRo5l5jBz0k1Y.exeC:\media\vmcheck32.dlltext
MD5:9C7F8E5C2A98425B969557D8875268FA
SHA256:8A5F644C9C3CA6E9F72B20E6653BC68021D0583DF10A0E240BF5889B669AE240
2476MFCHEAT.exeC:\media\ai0L27qAJjdumlx0CG00IDBTsmakju.battext
MD5:FEFEB359177154B89D52367272C8D79F
SHA256:74A1B2154FF284B98939DDAFFC299AA63CA5FE0FFB7A52DA45853B26F3A88A21
23000EQ0hjjnRo5l5jBz0k1Y.exeC:\media\zFsrvFerbE6VofEpOdBJ7vIo4LYQLJ.battext
MD5:88A7B9465B594A027AD5D52682FC7227
SHA256:11476772BC45EA15AC2D37D9E864D68A5B0541C90E468E5573F5371396C66C3D
2476MFCHEAT.exeC:\media\AOgBis9dgs7mRQbhCLDbG8UURZv4qG.vbstext
MD5:527391B435920296D2470EFE9CCFB1E0
SHA256:10C24A662D338EB37E7A7A8172CD28C94487D932ACB70F418B7C1149A0C5D1D7
2592WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb2592.35959\MFCheat\MFCHEAT.exeexecutable
MD5:AB024AE52415C4FA1BBCCF485EB76D57
SHA256:BB93107FE013DA77F5E973F8AFD97FA0DA174ED085FA7CF4CE0F6A2FA2BE5164
2476MFCHEAT.exeC:\media\0EQ0hjjnRo5l5jBz0k1Y.exeexecutable
MD5:EC101557C3C7DBFF498E665A50E09870
SHA256:50884B68C7268278697A13F6F7DCAC835D567DC6E612F858230DB219604C413E
2080WScript.exeC:\media\System.lnklnk
MD5:8AD816A2228D9BF2B5E2731BFDEAAF3A
SHA256:A78FDA78037AEE24D6BE71072A8115FFD14AD56F161062F05C4205BE72FCC423
23000EQ0hjjnRo5l5jBz0k1Y.exeC:\media\mfcheat.exeexecutable
MD5:7DF85F5215C5A11C4E2AD007BD5B1571
SHA256:D9381960FF3975D9E76A8D1BA5642C2AB7ABC16A7E8EC1AEDCA3D88C15175541
2592WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb2592.35959\pass.txttext
MD5:C822C1B63853ED273B89687AC505F9FA
SHA256:BBDEFA2950F49882F295B1285D4FA9DEC45FC4144BFB07EE6ACC68762D12C2E3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
3
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1452
mfcheat.exe
GET
200
216.239.34.21:80
http://ipinfo.io/ip
US
text
15 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1452
mfcheat.exe
216.239.34.21:80
ipinfo.io
Google Inc.
US
whitelisted
1452
mfcheat.exe
45.147.197.70:80
zzqserver.xyz
malicious

DNS requests

Domain
IP
Reputation
zzqserver.xyz
  • 45.147.197.70
malicious
ipinfo.io
  • 216.239.34.21
  • 216.239.36.21
  • 216.239.38.21
  • 216.239.32.21
shared

Threats

PID
Process
Class
Message
1452
mfcheat.exe
A Network Trojan was detected
ET TROJAN DCRat Initial CnC Activity
1452
mfcheat.exe
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
1452
mfcheat.exe
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
1452
mfcheat.exe
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
1452
mfcheat.exe
A Network Trojan was detected
ET TROJAN DCRat CnC Activity
1452
mfcheat.exe
A Network Trojan was detected
MALWARE [PTsecurity] DCRAT
1452
mfcheat.exe
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
1452
mfcheat.exe
A Network Trojan was detected
ET TROJAN DCRat CnC Activity
1452
mfcheat.exe
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
1452
mfcheat.exe
Potential Corporate Privacy Violation
ET POLICY Possible External IP Lookup ipinfo.io
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
MFCheat.rar