popup

Report - dcr1.exe

Generic Malware Antivirus PE File PE32 PowerShell
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.06.13 23:15 Machine s1_win7_x6403
Filename dcr1.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
7
 Behavior Score
6.4
ZERO API file : malware
VT API (file) 17 detected (AIDetectMalware, malicious, high confidence, Tedy, moderate, score, ai score=85, susgen, confidence)
md5 6ff799ae9a28bb581a9b1ca3743c4ae7
sha256 930a8c661671a5712336f5e8bb745bebff56226523fcfe28fb82c3f5f7784da6
ssdeep 48:yOlx9Cbgr98PsacQ3WxEi/C1+j8ZfJJaLhWTmGBs9AMc3crwMw3wrhK2:/lx9prBmWxEcwJcgTmGBs9AMOszo2
imphash 4fa2b5619374acaeb687b6af5efb6bd2
impfuzzy 24:n9wwRfVwQ3Nlr3Dm/EWFNYDGgkSdWTSwpw8:nqwXwQ3Lr3DmNFNYigkSgTSwpw8
  Network IP location

Signature (17cnts)

Level Description
watch Communicates with host for which no DNS query was performed
watch Creates a suspicious Powershell process
watch File has been identified by 17 AntiVirus engines on VirusTotal as malicious
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info One or more processes crashed
info Queries for the computername
info Uses Windows APIs to generate a cryptographic key

Rules (5cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (download)
watch Antivirus Contains references to security software binaries (download)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info PowerShell PowerShell script scripts

Network (2cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://51.79.49.73/crc/dcrat.exe
whois
CA OVH SAS 51.79.49.73 clean
51.79.49.73
whois
CA OVH SAS 51.79.49.73 malware

Suricata ids

ET INFO Executable Download from dotted-quad Host

PE API

IAT(Import Address Table) Library

MSVBVM60.DLL
 0x401000 _CIcos
 0x401004 _adj_fptan
 0x401008 __vbaFreeVar
 0x40100c _adj_fdiv_m64
 0x401010 _adj_fprem1
 0x401014 __vbaSetSystemError
 0x401018 _adj_fdiv_m32
 0x40101c __vbaLateMemSt
 0x401020 _adj_fdiv_m16i
 0x401024 __vbaObjSetAddref
 0x401028 _adj_fdivr_m16i
 0x40102c _CIsin
 0x401030 __vbaChkstk
 0x401034 __vbaObjVar
 0x401038 DllFunctionCall
 0x40103c _adj_fpatan
 0x401040 None
 0x401044 _CIsqrt
 0x401048 __vbaExceptHandler
 0x40104c _adj_fprem
 0x401050 _adj_fdivr_m64
 0x401054 None
 0x401058 __vbaFPException
 0x40105c _CIlog
 0x401060 _adj_fdiv_m32i
 0x401064 _adj_fdivr_m32i
 0x401068 __vbaStrCopy
 0x40106c _adj_fdivr_m32
 0x401070 _adj_fdiv_r
 0x401074 None
 0x401078 __vbaLateMemCall
 0x40107c __vbaVarDup
 0x401080 __vbaLateMemCallLd
 0x401084 _CIatan
 0x401088 _allmul
 0x40108c _CItan
 0x401090 _CIexp
 0x401094 __vbaFreeStr
 0x401098 __vbaFreeObj

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure