General
-
Target
DrfoneForAndroid_pass1234.rar
-
Size
116.8MB
-
Sample
210417-z8sxafzzes
-
MD5
6059444800b8b826e4de49cd730f8ea3
-
SHA1
62613a5e25d945423cc58f05ea3110d1d00a4758
-
SHA256
f16af1388aeddd0bcbcff560da419802dbf4841382bffb3f76571f97c0ebf95c
-
SHA512
65a7afcb5eccd52011925dd45d952362e1cf9d622639fac846698e4e34a5e62793e82f55cdde1626fcbc669c6ef4a3dfeeffcbaa50f99e6f5907cf2be722404f
Static task
static1
Behavioral task
behavioral1
Sample
DrfoneForAndroid.exe
Resource
win10v20210410
Behavioral task
behavioral2
Sample
DrfoneForAndroid.exe
Resource
win10v20210410
Behavioral task
behavioral3
Sample
DrfoneForAndroid.exe
Resource
win10v20210408
Behavioral task
behavioral4
Sample
DrfoneForAndroid.exe
Resource
win10v20210410
Behavioral task
behavioral5
Sample
DrfoneForAndroid.exe
Resource
win7v20210408
Malware Config
Targets
-
-
Target
DrfoneForAndroid.exe
-
Size
117.0MB
-
MD5
d36de3e484b54d8d9864897dc93c42d5
-
SHA1
8669bfcce5a0aedc82232821cf37672645bdae3a
-
SHA256
b3be601b4902a1ba5c0754b2f67eaed42fc7bf7560de288c8a6e0401dc112595
-
SHA512
681bb7785d9847379baeb93e57f74ba188d13de312047e9c4689b96bb89f56814a02852c58f0fce45239f84b61bc10ff62ab18da7c9c9b10034482ccb5bd7a20
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies security service
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Registers COM server for autorun
-
Creates new service(s)
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-