Overview

overview

10

Static

static

mixazed_20...09.exe

windows7_x64

10

mixazed_20...09.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    mixazed_20210714-165009

  • Size

    464KB

  • Sample

    210714-ekvynwfkda

  • MD5

    7107c581ed87665c78feec43ea1a5fed

  • SHA1

    372893674ed2012bf831c1ed39a7d5541b79c330

  • SHA256

    d4291e769969be325b9e0b9b2004f5ebb9b18f2a765b71840ee325e3f971b6bd

  • SHA512

    d876d8a181c75ec5a7f9c21e10668ba9e3e18cbc4b2f27dd22ef9778550e6016468b7592952f68a523507c32d78116c2507147e9f64d603ee406af0bada42ca7

Score
10/10
dcratxmriginfostealerminerratspywarestealerupx

Malware Config

Targets

    • Target

      mixazed_20210714-165009

    • Size

      464KB

    • MD5

      7107c581ed87665c78feec43ea1a5fed

    • SHA1

      372893674ed2012bf831c1ed39a7d5541b79c330

    • SHA256

      d4291e769969be325b9e0b9b2004f5ebb9b18f2a765b71840ee325e3f971b6bd

    • SHA512

      d876d8a181c75ec5a7f9c21e10668ba9e3e18cbc4b2f27dd22ef9778550e6016468b7592952f68a523507c32d78116c2507147e9f64d603ee406af0bada42ca7

    Score
    10/10
    dcratxmriginfostealerminerratspywarestealerupx

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • DCRat Payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • XMRig Miner Payload

      miner

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks