Report - DhcpcommonFontsession.exe

RAT Generic Malware Malicious Packer UPX PE32 OS Processor Check .NET EXE PE File

ScreenShot

Info
Location map


Created	2021.07.30 10:30	Machine	s1_win7_x6402
Filename	DhcpcommonFontsession.exe
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
AI Score	6	Behavior Score	6.8
ZERO API	file : clean
VT API (file)	45 detected (malicious, high confidence, Basic, YakbeexMSIL, HwMA5vIA, Unsafe, Save, Attribute, HighConfidence, Uztuby, KeyloggerX, SpyNoon, UMal, aucca@0, QuasarNET, R002C0DGT21, GenericRXPF, Static AI, Malicious PE, ai score=100, kcloud, Outbreak, Score, 100%, ZemsilF, Em0@a0h7Qyji, GdSda, confidence)
md5	999142f2751bd4d2d1da9a2d558029d3
sha256	5c08819a0402013e935fb78e6349ea1a798c53db14e482267deaf183b06dc436
ssdeep	6144:vqqDLOAbTNroWmxxyznX08XbDYAQU5s6rObagKZ961DkDgdhUxTnwpdHQNqPzGQ3:yqnOq0UXPDYAR5sUM1DGb6HZNwP
imphash	f34d5f2d4577ed6d9ceec516c1f5a744
impfuzzy	3:rGsLdAIEK:tf

Network IP location

Signature (16cnts)

Level	Description
danger	File has been identified by 45 AntiVirus engines on VirusTotal as malicious
watch	Created a process named as a common system process
watch	Installs itself for autorun at Windows startup
watch	Network communications indicative of possible code injection originated from the process lsass.exe
notice	A process created a hidden window
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Checks adapter addresses which can be used to detect virtual network interfaces
notice	Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice	Performs some HTTP requests
notice	Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice	Resolves a suspicious Top Level Domain (TLD)
info	Checks amount of memory in system
info	Checks if process is being debugged by a debugger
info	Collects information to fingerprint the system (MachineGuid
info	One or more processes crashed
info	Queries for the computername

Rules (8cnts)

Level	Name	Description	Collection
warning	Generic_Malware_Zero	Generic Malware	binaries (upload)
watch	Malicious_Packer_Zero	Malicious Packer	binaries (upload)
watch	UPX_Zero	UPX packed file	binaries (upload)
info	Is_DotNET_EXE	(no description)	binaries (upload)
info	IsPE32	(no description)	binaries (upload)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (upload)
info	Win_Backdoor_AsyncRAT_Zero	Win Backdoor AsyncRAT	binaries (upload)

Network (4cnts) ?

Request	CC	ASN Co	IP4	Rule ?	ZERO ?
http://api.samp-loader.ru/control.php?lF8KllZ=rEiSsOnQXHCc8kKLp7&2j5PKlq1u=opZOW&c94b13721d27475b87989d1218641657=8a5330c20f60bd9030c0fb85bd67f5dd&6d3d78b8326f23a9c284d79a7473fb93=QNjhTO4Q2NiJWMjRWO1IjYwIjM5ADNzQWMiVWNxUjNxIzMmJmY3QGO&lF8KllZ=rEiSsOnQXHCc whois		QWARTA LLC	95.181.163.93		clean
http://api.samp-loader.ru/control.php?lF8KllZ=rEiSsOnQXHCc8kKLp7&2j5PKlq1u=opZOW&6b8b4347da47dc2b696be018eded6f69=wN3IzYlVGN1cTN5ETZlZWNxUGZ3UDN0kTOwMDZxEjZzQ2NhZjM1UGNwgjN3gjM3gzMxIjNwkjM&6d3d78b8326f23a9c284d79a7473fb93=gZlVmYmFTOxU2N5EmMhZTZ0IDOihjY1IT whois		QWARTA LLC	95.181.163.93		clean
api.samp-loader.ru whois		QWARTA LLC	95.181.163.93		clean
95.181.163.93 whois		QWARTA LLC	95.181.163.93		clean

Suricata ids

PE API

IAT(Import Address Table) Library

mscoree.dll
0x402000 _CorExeMain

EAT(Export Address Table) is none

Similarity measure (PE file only) - Checking for service failure