Summary

dac2188c436443ea_mainexe.exe

File dac2188c436443ea_mainexe.exe

Summary
Download Resubmit sample

Size 61.5KB
Type PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
MD5 524a151216768e790645c98acb6c94ee
SHA1 2bffd0cd64a6f986a3093756addbb1e80c97df49
SHA256 dac2188c436443ea2439731c1f22ab78d5bd8d871a55ef08f0b55ec4eed6d89d
SHA512
6474666b47b0cfb2ba4c3999b21146d825efed9a536b8d77a756d59fc2ef70b7bee1b9ab511160e2ce79694135c827e04c98568c12142a3a3858bbb35ac28760
CRC32 1E87F21A
ssdeep None
Yara
  • anti_dbg - Checks if being debugged
  • win_registry - Affect system registries
  • win_files_operation - Affect private profile

Score

This file is very suspicious, with a score of 10 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Autosubmit

Parent_Task_ID:6164098

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis
Category Started Completed Duration Routing Logs
FILE March 29, 2025, 1:40 p.m. March 29, 2025, 1:49 p.m. 519 seconds internet Show Analyzer Log
Show Cuckoo Log

Analyzer Log

2025-03-27 00:56:22,015 [analyzer] DEBUG: Starting analyzer from: C:\tmpdrdvpd
2025-03-27 00:56:22,015 [analyzer] DEBUG: Pipe server name: \??\PIPE\gnAJcKKwtCvgPeQjzOwoeQcT
2025-03-27 00:56:22,015 [analyzer] DEBUG: Log pipe server name: \??\PIPE\uhkDDGcyLPAXLFAjhke
2025-03-27 00:56:22,015 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2025-03-27 00:56:22,030 [analyzer] INFO: Automatically selected analysis package "exe"
2025-03-27 00:56:22,375 [analyzer] DEBUG: Started auxiliary module Curtain
2025-03-27 00:56:22,375 [analyzer] DEBUG: Started auxiliary module DbgView
2025-03-27 00:56:23,187 [analyzer] DEBUG: Started auxiliary module Disguise
2025-03-27 00:56:23,421 [analyzer] DEBUG: Loaded monitor into process with pid 508
2025-03-27 00:56:23,421 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-03-27 00:56:23,421 [analyzer] DEBUG: Started auxiliary module Human
2025-03-27 00:56:23,421 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-03-27 00:56:23,421 [analyzer] DEBUG: Started auxiliary module Reboot
2025-03-27 00:56:23,530 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-03-27 00:56:23,530 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-03-27 00:56:23,530 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-03-27 00:56:23,530 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-03-27 00:56:23,687 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\dac2188c436443ea_mainexe.exe' with arguments '' and pid 2700
2025-03-27 00:56:23,937 [analyzer] DEBUG: Loaded monitor into process with pid 2700
2025-03-27 00:56:23,937 [analyzer] INFO: Added new file to list with pid 2700 and path C:\Users\Administrator\AppData\Local\Temp\AddCer.exe
2025-03-27 00:56:24,108 [analyzer] INFO: Injected into process with pid 2456 and name u'AddCer.exe'
2025-03-27 00:56:24,312 [analyzer] DEBUG: Loaded monitor into process with pid 2456
2025-03-27 00:56:24,342 [analyzer] INFO: Added new file to list with pid 2456 and path C:\Users\Administrator\AppData\Local\Temp\z1yuny4n.cer
2025-03-27 00:56:24,640 [analyzer] INFO: Added new file to list with pid 2700 and path C:\Users\Administrator\AppData\Local\Temp\Z1rasadhlp.jpg
2025-03-27 00:56:24,703 [analyzer] INFO: Injected into process with pid 2544 and name u'rundll32.exe'
2025-03-27 00:56:24,828 [analyzer] INFO: Injected into process with pid 2076 and name u'cmd.exe'
2025-03-27 00:56:24,921 [analyzer] DEBUG: Loaded monitor into process with pid 2544
2025-03-27 00:56:25,046 [analyzer] DEBUG: Loaded monitor into process with pid 2076
2025-03-27 00:56:25,687 [analyzer] INFO: Process with pid 2700 has terminated
2025-03-27 00:56:25,687 [analyzer] INFO: Process with pid 2076 has terminated
2025-03-27 00:59:42,687 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2025-03-27 00:59:43,733 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-03-27 00:59:43,750 [lib.api.process] INFO: Successfully terminated process with pid 2544.
2025-03-27 00:59:43,750 [analyzer] WARNING: File at path u'c:\\users\\administrator\\appdata\\local\\temp\\addcer.exe' does not exist, skip.
2025-03-27 00:59:43,750 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-03-29 13:40:49,887 [cuckoo.core.scheduler] DEBUG: Task #6180506: no machine available yet
2025-03-29 13:40:50,944 [cuckoo.core.scheduler] DEBUG: Task #6180506: no machine available yet
2025-03-29 13:40:51,974 [cuckoo.core.scheduler] DEBUG: Task #6180506: no machine available yet
2025-03-29 13:40:53,014 [cuckoo.core.scheduler] DEBUG: Task #6180506: no machine available yet
2025-03-29 13:40:54,057 [cuckoo.core.scheduler] DEBUG: Task #6180506: no machine available yet
2025-03-29 13:40:55,099 [cuckoo.core.scheduler] DEBUG: Task #6180506: no machine available yet
2025-03-29 13:40:56,121 [cuckoo.core.scheduler] DEBUG: Task #6180506: no machine available yet
2025-03-29 13:40:57,164 [cuckoo.core.scheduler] DEBUG: Task #6180506: no machine available yet
2025-03-29 13:40:58,201 [cuckoo.core.scheduler] DEBUG: Task #6180506: no machine available yet
2025-03-29 13:40:59,249 [cuckoo.core.scheduler] DEBUG: Task #6180506: no machine available yet
2025-03-29 13:41:00,296 [cuckoo.core.scheduler] DEBUG: Task #6180506: no machine available yet
2025-03-29 13:41:01,343 [cuckoo.core.scheduler] DEBUG: Task #6180506: no machine available yet
2025-03-29 13:41:02,399 [cuckoo.core.scheduler] DEBUG: Task #6180506: no machine available yet
2025-03-29 13:41:03,455 [cuckoo.core.scheduler] DEBUG: Task #6180506: no machine available yet
2025-03-29 13:41:04,567 [cuckoo.core.scheduler] DEBUG: Task #6180506: no machine available yet
2025-03-29 13:41:05,658 [cuckoo.core.scheduler] DEBUG: Task #6180506: no machine available yet
2025-03-29 13:41:06,771 [cuckoo.core.scheduler] DEBUG: Task #6180506: no machine available yet
2025-03-29 13:41:07,852 [cuckoo.core.scheduler] DEBUG: Task #6180506: no machine available yet
2025-03-29 13:41:08,913 [cuckoo.core.scheduler] DEBUG: Task #6180506: no machine available yet
2025-03-29 13:41:09,976 [cuckoo.core.scheduler] DEBUG: Task #6180506: no machine available yet
2025-03-29 13:41:11,498 [cuckoo.core.scheduler] DEBUG: Task #6180506: no machine available yet
2025-03-29 13:41:12,573 [cuckoo.core.scheduler] DEBUG: Task #6180506: no machine available yet
2025-03-29 13:41:13,643 [cuckoo.core.scheduler] DEBUG: Task #6180506: no machine available yet
2025-03-29 13:41:14,871 [cuckoo.core.scheduler] DEBUG: Task #6180506: no machine available yet
2025-03-29 13:41:15,967 [cuckoo.core.scheduler] DEBUG: Task #6180506: no machine available yet
2025-03-29 13:41:17,004 [cuckoo.core.scheduler] DEBUG: Task #6180506: no machine available yet
2025-03-29 13:41:18,244 [cuckoo.core.scheduler] DEBUG: Task #6180506: no machine available yet
2025-03-29 13:41:19,348 [cuckoo.core.scheduler] DEBUG: Task #6180506: no machine available yet
2025-03-29 13:41:20,387 [cuckoo.core.scheduler] DEBUG: Task #6180506: no machine available yet
2025-03-29 13:41:21,426 [cuckoo.core.scheduler] DEBUG: Task #6180506: no machine available yet
2025-03-29 13:41:22,464 [cuckoo.core.scheduler] DEBUG: Task #6180506: no machine available yet
2025-03-29 13:41:23,493 [cuckoo.core.scheduler] DEBUG: Task #6180506: no machine available yet
2025-03-29 13:41:24,541 [cuckoo.core.scheduler] DEBUG: Task #6180506: no machine available yet
2025-03-29 13:41:25,634 [cuckoo.core.scheduler] DEBUG: Task #6180506: no machine available yet
2025-03-29 13:41:26,682 [cuckoo.core.scheduler] DEBUG: Task #6180506: no machine available yet
2025-03-29 13:41:27,725 [cuckoo.core.scheduler] INFO: Task #6180506: acquired machine win7x6412 (label=win7x6412)
2025-03-29 13:41:27,727 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.212 for task #6180506
2025-03-29 13:41:28,145 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 2319833 (interface=vboxnet0, host=192.168.168.212)
2025-03-29 13:41:28,551 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x6412
2025-03-29 13:41:29,234 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x6412 to vmcloak
2025-03-29 13:44:17,158 [cuckoo.core.guest] INFO: Starting analysis #6180506 on guest (id=win7x6412, ip=192.168.168.212)
2025-03-29 13:44:18,165 [cuckoo.core.guest] DEBUG: win7x6412: not ready yet
2025-03-29 13:44:23,205 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x6412, ip=192.168.168.212)
2025-03-29 13:44:23,410 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x6412, ip=192.168.168.212, monitor=latest, size=6660546)
2025-03-29 13:44:25,516 [cuckoo.core.resultserver] DEBUG: Task #6180506: live log analysis.log initialized.
2025-03-29 13:44:26,883 [cuckoo.core.resultserver] DEBUG: Task #6180506 is sending a BSON stream
2025-03-29 13:44:27,383 [cuckoo.core.resultserver] DEBUG: Task #6180506 is sending a BSON stream
2025-03-29 13:44:27,758 [cuckoo.core.resultserver] DEBUG: Task #6180506 is sending a BSON stream
2025-03-29 13:44:28,188 [cuckoo.core.resultserver] DEBUG: Task #6180506: File upload for 'shots/0001.jpg'
2025-03-29 13:44:28,216 [cuckoo.core.resultserver] DEBUG: Task #6180506: File upload for 'files/556725558bfeae99_Z1rasadhlp.jpg'
2025-03-29 13:44:28,225 [cuckoo.core.resultserver] DEBUG: Task #6180506 uploaded file length: 28384
2025-03-29 13:44:28,232 [cuckoo.core.resultserver] DEBUG: Task #6180506 uploaded file length: 112146
2025-03-29 13:44:28,366 [cuckoo.core.resultserver] DEBUG: Task #6180506 is sending a BSON stream
2025-03-29 13:44:28,496 [cuckoo.core.resultserver] DEBUG: Task #6180506 is sending a BSON stream
2025-03-29 13:44:28,595 [cuckoo.core.resultserver] DEBUG: Task #6180506: File upload for 'files/dac2188c436443ea_dac2188c436443ea_mainexe.exe'
2025-03-29 13:44:28,601 [cuckoo.core.resultserver] DEBUG: Task #6180506 uploaded file length: 62976
2025-03-29 13:44:29,338 [cuckoo.core.resultserver] DEBUG: Task #6180506: File upload for 'shots/0002.jpg'
2025-03-29 13:44:29,348 [cuckoo.core.resultserver] DEBUG: Task #6180506 uploaded file length: 133504
2025-03-29 13:44:33,825 [cuckoo.core.resultserver] DEBUG: Task #6180506: File upload for 'files/8e4752179c57ee22_z1yuny4n.cer'
2025-03-29 13:44:33,828 [cuckoo.core.resultserver] DEBUG: Task #6180506 uploaded file length: 572
2025-03-29 13:44:40,217 [cuckoo.core.guest] DEBUG: win7x6412: analysis #6180506 still processing
2025-03-29 13:44:55,635 [cuckoo.core.guest] DEBUG: win7x6412: analysis #6180506 still processing
2025-03-29 13:45:10,847 [cuckoo.core.guest] DEBUG: win7x6412: analysis #6180506 still processing
2025-03-29 13:45:25,954 [cuckoo.core.guest] DEBUG: win7x6412: analysis #6180506 still processing
2025-03-29 13:45:41,084 [cuckoo.core.guest] DEBUG: win7x6412: analysis #6180506 still processing
2025-03-29 13:45:56,405 [cuckoo.core.guest] DEBUG: win7x6412: analysis #6180506 still processing
2025-03-29 13:46:11,521 [cuckoo.core.guest] DEBUG: win7x6412: analysis #6180506 still processing
2025-03-29 13:46:26,654 [cuckoo.core.guest] DEBUG: win7x6412: analysis #6180506 still processing
2025-03-29 13:46:41,928 [cuckoo.core.guest] DEBUG: win7x6412: analysis #6180506 still processing
2025-03-29 13:46:57,067 [cuckoo.core.guest] DEBUG: win7x6412: analysis #6180506 still processing
2025-03-29 13:47:12,310 [cuckoo.core.guest] DEBUG: win7x6412: analysis #6180506 still processing
2025-03-29 13:47:27,448 [cuckoo.core.guest] DEBUG: win7x6412: analysis #6180506 still processing
2025-03-29 13:47:42,593 [cuckoo.core.guest] DEBUG: win7x6412: analysis #6180506 still processing
2025-03-29 13:47:46,421 [cuckoo.core.resultserver] DEBUG: Task #6180506: File upload for 'curtain/1743033582.89.curtain.log'
2025-03-29 13:47:46,425 [cuckoo.core.resultserver] DEBUG: Task #6180506 uploaded file length: 36
2025-03-29 13:47:47,172 [cuckoo.core.resultserver] DEBUG: Task #6180506: File upload for 'sysmon/1743033583.64.sysmon.xml'
2025-03-29 13:47:47,272 [cuckoo.core.resultserver] DEBUG: Task #6180506 uploaded file length: 10180026
2025-03-29 13:47:47,296 [cuckoo.core.resultserver] DEBUG: Task #6180506 had connection reset for <Context for LOG>
2025-03-29 13:47:48,630 [cuckoo.core.guest] INFO: win7x6412: analysis completed successfully
2025-03-29 13:47:48,650 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-03-29 13:47:48,671 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-03-29 13:47:49,798 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x6412 to path /srv/cuckoo/cwd/storage/analyses/6180506/memory.dmp
2025-03-29 13:47:49,799 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x6412
2025-03-29 13:49:29,118 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.212 for task #6180506
2025-03-29 13:49:29,735 [cuckoo.core.scheduler] DEBUG: Released database task #6180506
2025-03-29 13:49:29,753 [cuckoo.core.scheduler] INFO: Task #6180506: analysis procedure completed

Signatures

Yara rules detected for file (3 events)
description Checks if being debugged rule anti_dbg
description Affect system registries rule win_registry
description Affect private profile rule win_files_operation
Allocates read-write-execute memory (usually to unpack itself) (8 events)
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x735c1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75cc1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72e61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74150000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x735a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73c41000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72a71000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x729d1000
process_handle: 0xffffffff
1 0 0
Checks if process is being debugged by a debugger (1 event)
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
The file contains an unknown PE resource name possibly indicative of a packer (1 event)
resource name JPEG
Creates executable files on the filesystem (1 event)
file C:\Users\Administrator\AppData\Local\Temp\AddCer.exe
Creates a suspicious process (4 events)
cmdline cmd.exe /c del /A C:\Users\ADMINI~1\AppData\Local\Temp\AddCer.exe
cmdline "C:\Windows\System32\cmd.exe" /c del /A C:\Users\ADMINI~1\AppData\Local\Temp\AddCer.exe
cmdline "C:\Windows\System32\cmd.exe" /c del /A C:\Users\ADMINI~1\AppData\Local\Temp\DAC218~1.EXE
cmdline cmd.exe /c del /A C:\Users\ADMINI~1\AppData\Local\Temp\DAC218~1.EXE
Drops an executable to the user AppData folder (2 events)
file C:\Users\Administrator\AppData\Local\Temp\Z1rasadhlp.jpg
file C:\Users\Administrator\AppData\Local\Temp\dac2188c436443ea_mainexe.exe
A process created a hidden window (4 events)
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\ADMINI~1\AppData\Local\Temp\AddCer.exe
parameters:
filepath: C:\Users\Administrator\AppData\Local\Temp\AddCer.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: cmd.exe
parameters: /c del /A C:\Users\ADMINI~1\AppData\Local\Temp\DAC218~1.EXE
filepath: cmd.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: rundll32.exe
parameters: cryptext.dll,CryptExtAddCER C:\Users\ADMINI~1\AppData\Local\Temp\z1yuny4n.cer
filepath: rundll32.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: cmd.exe
parameters: /c del /A C:\Users\ADMINI~1\AppData\Local\Temp\AddCer.exe
filepath: cmd.exe
1 1 0
Uses Windows utilities for basic Windows functionality (4 events)
cmdline cmd.exe /c del /A C:\Users\ADMINI~1\AppData\Local\Temp\AddCer.exe
cmdline "C:\Windows\System32\cmd.exe" /c del /A C:\Users\ADMINI~1\AppData\Local\Temp\AddCer.exe
cmdline "C:\Windows\System32\cmd.exe" /c del /A C:\Users\ADMINI~1\AppData\Local\Temp\DAC218~1.EXE
cmdline cmd.exe /c del /A C:\Users\ADMINI~1\AppData\Local\Temp\DAC218~1.EXE
File has been identified by 10 AntiVirus engine on IRMA as malicious (10 events)
G Data Antivirus (Windows) Virus: Gen:Variant.Fragtor.784197 (Engine A)
Avast Core Security (Linux) Win32:Malware-gen
Trellix (Linux) GenericR-OCV
WithSecure (Linux) Heuristic.HEUR/AGEN.1343123
eScan Antivirus (Linux) Gen:Variant.Fragtor.784197(DB)
ESET Security (Windows) a variant of Win32/Agent.AADS trojan
DrWeb Antivirus (Linux) Trojan.MulDrop2.56433
Bitdefender Antivirus (Linux) Gen:Variant.Fragtor.784197
Kaspersky Standard (Windows) Trojan.Win32.Agent.ilaf
Emsisoft Commandline Scanner (Windows) Gen:Variant.Fragtor.784197 (B)
Screenshots
Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action VT Location
No hosts contacted.
Cuckoo

We're processing your submission... This could take a few seconds.