File name: | cheat.exe |
Full analysis: | https://app.any.run/tasks/59a2b752-d906-401c-bf17-15fbf0e3e814 |
Verdict: | Malicious activity |
Threats: | DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common. |
Analysis date: | May 30, 2020, 15:48:23 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | 43851749EB45FF87BA649918295CAA8D |
SHA1: | 994352827BA0B233474A64C2B5BE1B3DE8D6CE27 |
SHA256: | C8683323F2FF88B519E7FF316F8A7898990B22DFC11298CE54868DAAE9C4D206 |
SSDEEP: | 49152:I/x9LRodZcbGWEqysfKvedKarw3ZY+DcXAFpGDtu0C8dxAwn1JSJ:Ux9UZqG/q79EC+DcXAvH0C4xRn1Jw |
.exe | | | Win64 Executable (generic) (64.6) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (15.4) |
.exe | | | Win32 Executable (generic) (10.5) |
.exe | | | Generic Win/DOS Executable (4.6) |
.exe | | | DOS Executable Generic (4.6) |
AssemblyVersion: | 1.5.5.3 |
---|---|
ProductVersion: | 5.4.7.9 |
ProductName: | Tuhuen Software |
OriginalFileName: | SRNeRTLWrxQLe.exe |
LegalTrademarks: | Tuhuen Software LTD |
LegalCopyright: | Tuhuen Software LTD |
InternalName: | SRNeRTLWrxQLe.exe |
FileVersion: | 5.4.7.9 |
FileDescription: | Tuhuen Software |
CompanyName: | Tuhuen Software LTD |
Comments: | Tuhuen Software |
CharacterSet: | Unicode |
LanguageCode: | Neutral |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 5.4.7.9 |
FileVersionNumber: | 5.4.7.9 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x248e32 |
UninitializedDataSize: | - |
InitializedDataSize: | 105984 |
CodeSize: | 2387968 |
LinkerVersion: | 6 |
PEType: | PE32 |
TimeStamp: | 2020:05:23 21:15:56+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 23-May-2020 19:15:56 |
Comments: | Tuhuen Software |
CompanyName: | Tuhuen Software LTD |
FileDescription: | Tuhuen Software |
FileVersion: | 5.4.7.9 |
InternalName: | SRNeRTLWrxQLe.exe |
LegalCopyright: | Tuhuen Software LTD |
LegalTrademarks: | Tuhuen Software LTD |
OriginalFilename: | SRNeRTLWrxQLe.exe |
ProductName: | Tuhuen Software |
ProductVersion: | 5.4.7.9 |
Assembly Version: | 1.5.5.3 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 23-May-2020 19:15:56 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00002000 | 0x00246E38 | 0x00247000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.97563 |
.reloc | 0x0024A000 | 0x0000000C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.10191 |
.rsrc | 0x0024C000 | 0x00019B6C | 0x00019C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.3521 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.45681 | 940 | UNKNOWN | UNKNOWN | RT_VERSION |
2 | 3.00473 | 67624 | UNKNOWN | UNKNOWN | RT_ICON |
3 | 3.0904 | 16936 | UNKNOWN | UNKNOWN | RT_ICON |
4 | 3.29528 | 9640 | UNKNOWN | UNKNOWN | RT_ICON |
5 | 3.28249 | 4264 | UNKNOWN | UNKNOWN | RT_ICON |
6 | 3.28148 | 1128 | UNKNOWN | UNKNOWN | RT_ICON |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2168 | "C:\Users\admin\AppData\Local\Temp\cheat.exe" | C:\Users\admin\AppData\Local\Temp\cheat.exe | — | explorer.exe |
User: admin Company: Tuhuen Software LTD Integrity Level: MEDIUM Description: Tuhuen Software Exit code: 0 Version: 5.4.7.9 | ||||
2976 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2840 | "{path}" | C:\Users\admin\AppData\Local\Temp\cheat.exe | — | cheat.exe |
User: admin Company: Tuhuen Software LTD Integrity Level: MEDIUM Description: Tuhuen Software Exit code: 4294967295 Version: 5.4.7.9 | ||||
3192 | "{path}" | C:\Users\admin\AppData\Local\Temp\cheat.exe | cheat.exe | |
User: admin Company: Tuhuen Software LTD Integrity Level: MEDIUM Description: Tuhuen Software Exit code: 0 Version: 5.4.7.9 | ||||
2296 | "C:\Users\admin\Documents\file0.exe" | C:\Users\admin\Documents\file0.exe | — | cheat.exe |
User: admin Company: EduPrintProv Integrity Level: MEDIUM Description: capiprovider Exit code: 0 Version: 918.733.140.535 | ||||
3916 | "C:\Users\admin\Documents\file1.exe" | C:\Users\admin\Documents\file1.exe | cheat.exe | |
User: admin Company: Inc.Infrastructure Integrity Level: MEDIUM Description: Inc.Infrastructur Host Driver Exit code: 0 Version: 2.0.0.0 | ||||
1564 | "C:\Users\admin\Documents\file2.exe" | C:\Users\admin\Documents\file2.exe | cheat.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3140 | "C:\Windows\System32\WScript.exe" "C:\fontcrt\MwNjvr88NQJRSWi19KqHvdvHPGxkRc.vbs" | C:\Windows\System32\WScript.exe | — | file2.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2264 | cmd /c ""C:\fontcrt\f8IOiW4b1oJg0IdnBPNY1lP2Kk6HqE.bat" " | C:\Windows\System32\cmd.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2888 | nlHa4dneFyvW7t91tTqX.exe -pfc114bf1799a11cca515d4e7135dd097ec29a963 | C:\fontcrt\nlHa4dneFyvW7t91tTqX.exe | cmd.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3192 | cheat.exe | C:\Users\admin\Documents\rr | — | |
MD5:— | SHA256:— | |||
3916 | file1.exe | C:\Users\admin\AppData\Local\Temp\Cab3C51.tmp | — | |
MD5:— | SHA256:— | |||
3916 | file1.exe | C:\Users\admin\AppData\Local\Temp\Tar3C52.tmp | — | |
MD5:— | SHA256:— | |||
3916 | file1.exe | C:\Users\admin\AppData\Local\Temp\Cab3C81.tmp | — | |
MD5:— | SHA256:— | |||
3916 | file1.exe | C:\Users\admin\AppData\Local\Temp\Tar3C82.tmp | — | |
MD5:— | SHA256:— | |||
3192 | cheat.exe | C:\Users\admin\Documents\{e29ac6c0-7037-11de-816d-806e6f6e6963}\screen.jpeg | image | |
MD5:5A669BB107654EA00650D6E8E10C2A12 | SHA256:86BE5EFBB7005773AB4A78023B0D9676C6FF584D101058BD7179C534C61238D6 | |||
3916 | file1.exe | C:\Users\admin\AppData\Local\Temp\Cab3D6E.tmp | — | |
MD5:— | SHA256:— | |||
3192 | cheat.exe | C:\Users\admin\Documents\{e29ac6c0-7037-11de-816d-806e6f6e6963}\Browsers\Google\Autofill.log | text | |
MD5:63D4BEA5BF2E239193F40EFAF2A17657 | SHA256:AF8965DC3ECC954D181239538809A25AC1305B3389E1D0199EBFE769252A0AFA | |||
3192 | cheat.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\321[1].exe | executable | |
MD5:621368F070A43B2B353275CC2C1D2A85 | SHA256:83D04E3AC2A116805CEE01F0882B7745A94D11D27A1041D80DB1E40AE6F54B9E | |||
3192 | cheat.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\751[1].exe | executable | |
MD5:E9232CE72A3CF88A3D1442248275C797 | SHA256:C991FE8C6D840624FBF7B46C88514FF6324FEA56997929B0A81D97B0F6EB7F88 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3192 | cheat.exe | GET | 200 | 81.16.28.176:80 | http://polosatik.site/126.exe | unknown | executable | 2.01 Mb | malicious |
3916 | file1.exe | GET | 304 | 2.21.78.252:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | unknown | compressed | 57.0 Kb | whitelisted |
3916 | file1.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/xml | unknown | xml | 461 b | shared |
3192 | cheat.exe | GET | 200 | 81.16.28.176:80 | http://polosatik.site/751.exe | unknown | executable | 977 Kb | malicious |
2548 | savesref.exe | GET | 200 | 81.16.28.176:80 | http://polosatik.site/qnyfx6ftdd3rno199mxvktsxevpzuzu/eytdboy5szfe18nnmanpwvg692cnfa4lzel5i/5ec6a5b184b36667823aded56b8bb4a6fba22759.php?4ba60642483e6edded193f3eddb7d370=0940ad5e6d32b0f81cb79e230953bd92&e60ff182eb0c6968d20131f15b5573dd=529633998619a6068c1dc14fe9c1dd14a741b372 | unknown | text | 67 b | malicious |
3192 | cheat.exe | POST | 200 | 188.225.33.242:80 | http://188.225.33.242/gate.php | RU | — | — | malicious |
3192 | cheat.exe | POST | 200 | 188.225.33.242:80 | http://188.225.33.242/gate.php | RU | text | 96 b | malicious |
3192 | cheat.exe | GET | 200 | 81.16.28.176:80 | http://polosatik.site/321.exe | unknown | executable | 1.08 Mb | malicious |
2548 | savesref.exe | GET | — | 81.16.28.176:80 | http://polosatik.site/qnyfx6ftdd3rno199mxvktsxevpzuzu/eytdboy5szfe18nnmanpwvg692cnfa4lzel5i/8kgh087x1fgzjpaxwzd1xmstye4ynnxrib4tq9sx57rtw2ey1mtoc/fa0f471eaf400e7485e2cd28e62af714.php?823b821c9f8361b1d0fe2c0ddeda325c=%3DQDM1EWN0AjZyYGMyEGNzUDZlRTNlZ2YhdTN1EjYhR2YwYzYzYGMmRDM&c65f4611a8b807d0c3b2c24ef028946e=%3D%3DgY5ITN5UGZ3IjZwQ2YmJGMyU2NjJmZxAzMhRmYlBzMiJDZxQWZ1YWY&6ac56b5fa0bc520ed3722ada26977f74=lhXZuUGbklkPSR1U8UGel5SRTZncQlWbX5jUUNFPlhXZu0WZ0NXeT5jUUNFPlhXZuInbhRmbpdnPSR1U8UGel5SYyVGcv5jUUNFPlhXZuQ3cvh2Y2NnPSR1U8UGel5Cdz9GajZ3c%2BIFVTxTZ4VmLDZ1UTZlPSR1U8UGel5Cdz9GSyVGdslmRoNmchV2U%2BIFVTxTZ4VmL0N3bot2chRnPSR1U8UGel5SbzF0ZlJlPSR1U8UGel5yYlhXZpNXb%2BIFVTxTZ4VmL0N3bo52bj5jUUNFPlhXZuY3cs92bwNnPSR1U8UGel5iclRnchR3U%2BIFVTxTZ4VmLtdHZ%2BIFVTxTZ4VmL0lmbp5Wa35jUUNFPlhXZuQ3cvhEbvN2b09mcQh2YyFWZT5jUUNFPlhXZuMXZjlmdyV2c%2BIFVTxTZ4VmL0BXayN2c35jUUNFPlhXZucmblt2chRnPSR1U8UGel5Cdz9GajZ3c%2BIFVTxTZ4VmLzNnczNmPSR1U8UGel5SRUFERQVFVDlERF1US%2BIFVTxTZ4VmLzNXYzxmPSR1U8UGel5iclJ3bsBHel5jUUNFPlhXZu42btZGdj5jUUNFPlhXZuQ3cvh2Y2NnPSR1U8UGel5Cdz9GajZ3c%2BIFVTxTZ4VmLtNHb%2BIFVTxTZ4VmL0N3boNmdz5jUUNFPlhXZuQWbj5jUUNFPlhXZuQ3cvh2Y2NnPSR1U8UGel5Cdz9GajZ3c%2BIFVTxTZ4VmLyVGZvNWZE5jUUNFPlhXZuIXZ4VGZulEajJXYlNlPSR1U8UGel5iZlJ3clZXYz5jUUNFPlhXZu42bn9Gbul2d%2BIFVTxTZ4VmL0N3boNmdz5jUUNFPlhXZucGZvlGZ1FmPSR1U8UGel5Sc%2BIFVTxTZ4VmLzNnczNmPSR1U8UGel5ycz12c%2BIFVTxTZ4VmL0N3boNmdz5jUUNFP&9b0cc12a38836765288bc590f25fb6d8=%3D%3DgY2gzNjdTMkVzM3MWNzYWOjFGMhhjY0YTNidDZyYTN3YTZzEjYyUTN&a0c271d2fb34e59d44fb5ecdcf624ace=%3DUmN2gTMmdjZiJzN3QWM0MmYkVTZ1QDOykjM1YTZjRmM | unknown | — | — | malicious |
2976 | opera.exe | GET | 200 | 93.184.220.29:80 | http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl | US | der | 564 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3916 | file1.exe | 2.21.78.252:80 | www.download.windowsupdate.com | Akamai International B.V. | — | whitelisted |
3580 | RegAsm.exe | 88.99.66.31:443 | iplogger.org | Hetzner Online GmbH | DE | malicious |
3580 | RegAsm.exe | 172.217.18.4:443 | www.google.com | Google Inc. | US | whitelisted |
3192 | cheat.exe | 81.16.28.176:80 | polosatik.site | — | — | malicious |
2976 | opera.exe | 93.184.220.29:80 | crl4.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3916 | file1.exe | 208.95.112.1:80 | ip-api.com | IBURST | — | malicious |
3916 | file1.exe | 54.225.191.113:443 | api.ipify.org | Amazon.com, Inc. | US | suspicious |
3192 | cheat.exe | 188.225.33.242:80 | — | TimeWeb Ltd. | RU | malicious |
2976 | opera.exe | 185.26.182.94:443 | certs.opera.com | Opera Software AS | — | whitelisted |
3580 | RegAsm.exe | 172.67.194.33:443 | arcane.es3n.in | — | US | malicious |
Domain | IP | Reputation |
---|---|---|
polosatik.site |
| malicious |
api.ipify.org |
| shared |
www.download.windowsupdate.com |
| whitelisted |
www.google.com |
| whitelisted |
iplogger.org |
| shared |
certs.opera.com |
| whitelisted |
crl4.digicert.com |
| whitelisted |
ip-api.com |
| shared |
arcane.es3n.in |
| malicious |
ipinfo.io |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3192 | cheat.exe | A Network Trojan was detected | ET TROJAN Trojan Generic - POST To gate.php with no referer |
3192 | cheat.exe | A Network Trojan was detected | ET TROJAN Trojan Generic - POST To gate.php with no accept headers |
3192 | cheat.exe | A Network Trojan was detected | ET TROJAN Likely Zbot Generic Request to gate.php Dotted-Quad |
3192 | cheat.exe | A Network Trojan was detected | STEALER [PTsecurity] Parasite |
3192 | cheat.exe | Potentially Bad Traffic | ET USER_AGENTS Observed Suspicious UA (Client) |
3192 | cheat.exe | A Network Trojan was detected | ET TROJAN Trojan Generic - POST To gate.php with no referer |
3192 | cheat.exe | A Network Trojan was detected | ET TROJAN Trojan Generic - POST To gate.php with no accept headers |
3192 | cheat.exe | A Network Trojan was detected | ET TROJAN Likely Zbot Generic Request to gate.php Dotted-Quad |
3192 | cheat.exe | A Network Trojan was detected | STEALER [PTsecurity] Parasite |
3192 | cheat.exe | Potentially Bad Traffic | ET USER_AGENTS Observed Suspicious UA (Client) |