General
-
Target
DrfoneForAndroid_pass1234.rar
-
Size
116.8MB
-
Sample
210417-z8sxafzzes
-
MD5
6059444800b8b826e4de49cd730f8ea3
-
SHA1
62613a5e25d945423cc58f05ea3110d1d00a4758
-
SHA256
f16af1388aeddd0bcbcff560da419802dbf4841382bffb3f76571f97c0ebf95c
-
SHA512
65a7afcb5eccd52011925dd45d952362e1cf9d622639fac846698e4e34a5e62793e82f55cdde1626fcbc669c6ef4a3dfeeffcbaa50f99e6f5907cf2be722404f
Malware Config
Targets
-
-
Target
DrfoneForAndroid.exe
-
Size
117.0MB
-
MD5
d36de3e484b54d8d9864897dc93c42d5
-
SHA1
8669bfcce5a0aedc82232821cf37672645bdae3a
-
SHA256
b3be601b4902a1ba5c0754b2f67eaed42fc7bf7560de288c8a6e0401dc112595
-
SHA512
681bb7785d9847379baeb93e57f74ba188d13de312047e9c4689b96bb89f56814a02852c58f0fce45239f84b61bc10ff62ab18da7c9c9b10034482ccb5bd7a20
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies Windows Defender Real-time Protection settings
-
Modifies security service
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Registers COM server for autorun
-
Creates new service(s)
-
Executes dropped EXE
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-