Malware analysis HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe Malicious activity

Add for printing

File name:	HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe
Full analysis:	https://app.any.run/tasks/d4780038-d0b1-4d2e-b779-7839087a6a5d
Verdict:	Malicious activity
Threats:	A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices. DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	November 03, 2023, 19:07:55
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	rat backdoor dcrat remote stealer
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:	41F28FF8D5E2BA9C79FA62E830038734
SHA1:	3251D577356B19164B32098E012B12CA65F60B47
SHA256:	F50BC6EA15A41F1AFF50A177BEFAD85A312FBD93418E683BF0EB9A28F523BDFE
SSDEEP:	24576:7ThBihfRDxduK88k77M26FrU70xgz62EZZOPTwoD0:7tQh5DxduK88k77M26Fs626Z+EoD0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.177.11)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (64-bit x64) (7.5.1)
PowerShell 7-x64 (7.2.11.0)
Skype version 8.100 (8.100)
Update for Microsoft .NET Framework 4.7.1 (KB4054852) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe (PID: 2700)
- Changes the autorun value in the registry
  - HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe (PID: 2700)
- DCRAT has been detected (SURICATA)
  - HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe (PID: 2924)
SUSPICIOUS
- Executed via WMI
  - schtasks.exe (PID: 2004)
  - schtasks.exe (PID: 284)
  - schtasks.exe (PID: 2796)
  - schtasks.exe (PID: 1204)
- Executing commands from a ".bat" file
  - HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe (PID: 2700)
- Reads the Internet Settings
  - HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe (PID: 2700)
  - HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe (PID: 2924)
- Starts CMD.EXE for commands execution
  - HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe (PID: 2700)
- Starts application with an unusual extension
  - cmd.exe (PID: 1392)
- Probably delay the execution using 'w32tm.exe'
  - cmd.exe (PID: 1392)
- Connects to the server without a host name
  - HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe (PID: 2924)
INFO
- Checks supported languages
  - HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe (PID: 2700)
  - chcp.com (PID: 364)
  - HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe (PID: 2924)
- Reads the computer name
  - HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe (PID: 2700)
  - HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe (PID: 2924)
- Reads Environment values
  - HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe (PID: 2700)
  - HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe (PID: 2924)
- Create files in a temporary directory
  - HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe (PID: 2700)
- Reads the machine GUID from the registry
  - HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe (PID: 2700)
  - HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe (PID: 2924)
- The executable file from the user directory is run by the CMD process
  - HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe (PID: 2924)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (45.1)
.exe	\|	Win32 Executable MS Visual C++ (generic) (19.2)
.exe	\|	Win64 Executable (generic) (17)
.scr	\|	Windows screen saver (8)
.dll	\|	Win32 Dynamic Link Library (generic) (4)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2021:10:05 02:33:20+02:00
ImageFileCharacteristics:	Executable, No line numbers, No symbols, Large address aware, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	908288
InitializedDataSize:	23040
UninitializedDataSize:	-
EntryPoint:	0xdfb4e
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.132.56703
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT
ObjectFileType:	Dynamic link library
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	-
FileDescription:	-
FileVersion:	1.0.132.56703
InternalName:	telescop.dll
LegalCopyright:	Please find more information at https://research.activision.com/opensource
OriginalFileName:	telescop.dll
ProductName:	-
ProductVersion:	1.0.0.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

284

schtasks.exe /create /tn "HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4" /sc minute /mo 8 /tr "'C:\Users\admin\AppData\Local\Temp\4kp5pfrr\HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe'" /f

C:\Windows\System32\schtasks.exe

—

WmiPrvSE.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll

364

chcp 65001

C:\Windows\System32\chcp.com

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Change CodePage Utility

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

1204

schtasks.exe /create /tn "HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4" /sc minute /mo 5 /tr "'C:\Users\admin\AppData\Local\Temp\2p41qtmt\HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe'" /f

C:\Windows\System32\schtasks.exe

—

WmiPrvSE.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll

1392

C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\oGOODQDuXR.bat" "

C:\Windows\System32\cmd.exe

—

HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

1660

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\System32\w32tm.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Time Service Diagnostic Tool

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\w32tm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

2004

schtasks.exe /create /tn "HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4" /sc minute /mo 5 /tr "'C:\Users\admin\AppData\Local\Temp\a1ic2yxv\HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe'" /f

C:\Windows\System32\schtasks.exe

—

WmiPrvSE.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll

2700

"C:\Users\admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe"

C:\Users\admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Version:

1.0.132.56703

Modules

Images
c:\users\admin\appdata\local\temp\heur-trojan-spy.msil.stealer.gen-f50bc6ea15a4.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll

2796

schtasks.exe /create /tn "HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4" /sc minute /mo 12 /tr "'C:\Users\admin\AppData\Local\Temp\vek4kqj2\HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe'" /f

C:\Windows\System32\schtasks.exe

—

WmiPrvSE.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll

2924

"C:\Users\admin\AppData\Local\Temp\a1ic2yxv\HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe"

C:\Users\admin\AppData\Local\Temp\a1ic2yxv\HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe

cmd.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Version:

1.0.132.56703

Modules

Images
c:\users\admin\appdata\local\temp\a1ic2yxv\heur-trojan-spy.msil.stealer.gen-f50bc6ea15a4.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll

Add for printing

Total events

1 244

Read events

1 233

Write events

Delete events

Modification events


(PID) Process:	(2700) HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4
Value: "C:\Users\admin\AppData\Local\Temp\a1ic2yxv\HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe"
(PID) Process:	(2700) HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4
Value: "C:\Users\admin\AppData\Local\Temp\4kp5pfrr\HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe"
(PID) Process:	(2700) HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4
Value: "C:\Users\admin\AppData\Local\Temp\vek4kqj2\HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe"
(PID) Process:	(2700) HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2700) HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2700) HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2700) HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2700	HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe	C:\Users\admin\AppData\Local\Temp\a1ic2yxv\HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe		executable
		MD5:41F28FF8D5E2BA9C79FA62E830038734	SHA256:F50BC6EA15A41F1AFF50A177BEFAD85A312FBD93418E683BF0EB9A28F523BDFE
2700	HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe	C:\Users\admin\AppData\Local\Temp\a1ic2yxv\621fc758e76fd94a4d1ab6b874bdc43f2c4ed314		text
		MD5:5704E56352F61418691752D70AD6FD00	SHA256:B2D1EFF35808243E25E3732C4DD184FA9DA17431D73C61C1000ABB39DAA9D586
2700	HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe	C:\Users\admin\AppData\Local\Temp\2p41qtmt\HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe		executable
		MD5:41F28FF8D5E2BA9C79FA62E830038734	SHA256:F50BC6EA15A41F1AFF50A177BEFAD85A312FBD93418E683BF0EB9A28F523BDFE
2700	HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe	C:\Users\admin\AppData\Local\Temp\4kp5pfrr\621fc758e76fd94a4d1ab6b874bdc43f2c4ed314		text
		MD5:9275994610F9CF60ADC710067E7A16F7	SHA256:CCC73C6421A77494FB2FD285F5FA5C5DA4753389989E57FF79B8D93BF83BEFF0
2700	HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe	C:\Users\admin\AppData\Local\Temp\vek4kqj2\HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe		executable
		MD5:41F28FF8D5E2BA9C79FA62E830038734	SHA256:F50BC6EA15A41F1AFF50A177BEFAD85A312FBD93418E683BF0EB9A28F523BDFE
2700	HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe	C:\Users\admin\AppData\Local\Temp\4kp5pfrr\HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe		executable
		MD5:41F28FF8D5E2BA9C79FA62E830038734	SHA256:F50BC6EA15A41F1AFF50A177BEFAD85A312FBD93418E683BF0EB9A28F523BDFE
2700	HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe	C:\Users\admin\AppData\Local\Temp\oGOODQDuXR.bat		text
		MD5:5FF0D1B276DD193135E53AE670D59819	SHA256:5E1E597409B3F26F5229225B1CDAA82066E13391E3C45D5393258FB3FC7F8621
2700	HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe	C:\Users\admin\AppData\Local\Temp\2p41qtmt\621fc758e76fd94a4d1ab6b874bdc43f2c4ed314		text
		MD5:F88D7C8F3A97F1497FC187C53E745F64	SHA256:04BD5A554555065F0A983C4835966B5571998CED0BD42D10BB8899428EBA4F6F
2700	HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe	C:\Users\admin\AppData\Local\Temp\Go276k6l97		text
		MD5:45822BC7D97E49C97ED2F9784E9AB639	SHA256:8C54DCA1823D486ED1E965D4986969C2F4F72549A6A9E281121E6A9FF525D09E
2700	HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe	C:\Users\admin\AppData\Local\Temp\vek4kqj2\621fc758e76fd94a4d1ab6b874bdc43f2c4ed314		text
		MD5:54925505F1F1B3B29BB44DB6FD66C89C	SHA256:08BE83413A656C6E90D0FC35F62ACAAE3DAF82732CAFB0E4DD0B5FED05969D45

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2924	HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe	GET	404	78.24.216.97:80	http://78.24.216.97/antidataPythonrule/searcherlogPython/Djangopoolanticut/messagehtopServer/bin/local/searcherDjango/CpuframeCam/rulesearcherPythonprogram/requestpoll.php?mELVRoHcaH3lkB7JnNeYMXZ=hZ5E2Odt5WJZ2fB1C&tAKuMakmns6q=Oppx1sCjLoJqN2iRH&nW0oZVx=feQluxOz&369fc1d8c1028b0c53a321987946c31a=c899e3f623864abbd75f3fc06c111b2a&fc18e417394b924176f400e41bae2870=QZzUWOkVWMmBDOjF2M5YzM1Q2YykjZxUmNwQWN5gjN1M2YkVDOjJGN&mELVRoHcaH3lkB7JnNeYMXZ=hZ5E2Odt5WJZ2fB1C&tAKuMakmns6q=Oppx1sCjLoJqN2iRH&nW0oZVx=feQluxOz	unknown	html	1.21 Kb	unknown
2924	HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe	GET	404	78.24.216.97:80	http://78.24.216.97/antidataPythonrule/searcherlogPython/Djangopoolanticut/messagehtopServer/bin/local/searcherDjango/CpuframeCam/rulesearcherPythonprogram/requestpoll.php?mELVRoHcaH3lkB7JnNeYMXZ=hZ5E2Odt5WJZ2fB1C&tAKuMakmns6q=Oppx1sCjLoJqN2iRH&nW0oZVx=feQluxOz&369fc1d8c1028b0c53a321987946c31a=c899e3f623864abbd75f3fc06c111b2a&fc18e417394b924176f400e41bae2870=QZzUWOkVWMmBDOjF2M5YzM1Q2YykjZxUmNwQWN5gjN1M2YkVDOjJGN&mELVRoHcaH3lkB7JnNeYMXZ=hZ5E2Odt5WJZ2fB1C&tAKuMakmns6q=Oppx1sCjLoJqN2iRH&nW0oZVx=feQluxOz	unknown	html	1.21 Kb	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
324	svchost.exe	224.0.0.252:5355	—	—	—	unknown
1956	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2924	HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe	78.24.216.97:80	—	JSC IOT	RU	unknown

DNS requests

No data

Threats

PID	Process	Class	Message
2924	HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe	A Network Trojan was detected	ET MALWARE DCRAT Activity (GET)

Add for printing

No debug info

General Info

HEUR-Trojan-Spy.MSIL.Stealer.gen-f50bc6ea15a4.exe

41F28FF8D5E2BA9C79FA62E830038734

3251D577356B19164B32098E012B12CA65F60B47

F50BC6EA15A41F1AFF50A177BEFAD85A312FBD93418E683BF0EB9A28F523BDFE

24576:7ThBihfRDxduK88k77M26FrU70xgz62EZZOPTwoD0:7tQh5DxduK88k77M26Fs626Z+EoD0

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Changes the autorun value in the registry

DCRAT has been detected (SURICATA)

SUSPICIOUS

Executed via WMI

Executing commands from a ".bat" file

Reads the Internet Settings

Starts CMD.EXE for commands execution

Starts application with an unusual extension

Probably delay the execution using 'w32tm.exe'

Connects to the server without a host name

INFO

Checks supported languages

Reads the computer name

Reads Environment values

Create files in a temporary directory

Reads the machine GUID from the registry

The executable file from the user directory is run by the CMD process

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings