Managed XDR

vtdl_1761158444_hoaf641n (DCRat) — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
vtdl_1761158444_hoaf641n
Тип файла
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Размер файла
1.1 MB
Первое обнаружение
Последнее обнаружение

Окружение

w10/x86 en

Хеши

SHA1
d025c058da73f82f99016bbbdd0ca532ec6eea33
SHA256
35e5f3f6feadc7c096a89bd345188dc96fb4b71cf2325d4225f3be693131c1e0
MD5
2eb69a67a33a22fc22d55419ee6b5c72

Вредоносное ПО

  • DCRat

Сигнатуры

Execution

T1059.001 url_cmdline: Cmdline of process contains URL
T1059.003 url_cmdline: Cmdline of process contains URL

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Credential Access

T1555.003 cookie_files: Accesses cookie files
T1552 cookie_files: Accesses cookie files

Discovery

T1010 browser_needed: Repeatedly searches for browser windows

Command and Control

T1071.001 network_http: Performs HTTP requests
T1071.001 wininet_https: Performs HTTP/HTTPS requests using WinInet

Other

yara_rules: Static rules
static_pe_anomaly: The PE file structure contains anomalies
create_rpc_bindings: Creates RPC connection
dotnet_suspicious_module_name: Dotnet program has suspicious module name
creates_suspended_process: Creates suspended process
dotnet_import_unmanaged_code: Dotnet program statically imports unmanaged functions/modules
message_box: Displays a message
test_check_service: Starts services
writes_data: Writes big amount of data to disk
dotnet_suspicious_entrypoint: Dotnet program has suspicious entrypoint
js_suspicious: Suspicious javascript

Похожие отчёты