dcrat

Sharing

General

Target

d679480608237f232180bbccdb98a4aa237d1c7b4963a5815cd51f8e85d49013
Size

359KB
Sample

220709-mxpdyadgcq
MD5

6c296ac4e759e49b1a4354664adf9e62
SHA1

c1aad4f7250a9e46e995dd5be6c83156dc78d42a
SHA256

d679480608237f232180bbccdb98a4aa237d1c7b4963a5815cd51f8e85d49013
SHA512

21d02b657dabc8ecc499a31b557510822dc45b4b90b858522ba0bbae66b9394e75c5347fa01eb5ec61d2d29b95e8f96f505ded400d9af993bcc613394c61cff0

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

38.17.53.140:30686

Attributes

auth_value
7d4c8895c781964b1dd3b37efbb922d8

Extracted

Family

redline

193.233.193.49:11906

Attributes

auth_value
ad5cd49e075db8527ecb265d0bf18710

Extracted

Family

redline

Botnet

104.168.175.185:24296

Attributes

auth_value
d1d25fcea68896739206f4633c252b31

Extracted

Family

redline

Botnet

1399237859

37.235.54.26:8362

Extracted

Family

redline

Botnet

@mahouny23

194.36.177.26:16686

Attributes

auth_value
1e6a07738976b205f98e69f03924461d

Extracted

Family

eternity

http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion

Extracted

Family

vidar

Version

53.1

Botnet

324

https://t.me/tg_dailyrunnings

https://mastodon.online/@olegf9844g

Attributes

profile_id
324

Targets

- Target
  
  d679480608237f232180bbccdb98a4aa237d1c7b4963a5815cd51f8e85d49013
- Size
  
  359KB
- MD5
  
  6c296ac4e759e49b1a4354664adf9e62
- SHA1
  
  c1aad4f7250a9e46e995dd5be6c83156dc78d42a
- SHA256
  
  d679480608237f232180bbccdb98a4aa237d1c7b4963a5815cd51f8e85d49013
- SHA512
  
  21d02b657dabc8ecc499a31b557510822dc45b4b90b858522ba0bbae66b9394e75c5347fa01eb5ec61d2d29b95e8f96f505ded400d9af993bcc613394c61cff0
Score

10^/10

dcrat eternity redline vidar 1 1399237859 22 324 @mahouny23 infostealer persistence pyinstaller rat stealer suricata upx
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Detects Eternity stealer
  stealer
- Eternity
  Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
  eternity
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE DCRAT Activity (GET)
  suricata: ET MALWARE DCRAT Activity (GET)
  suricata
- suricata: ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)
  suricata: ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)
  suricata
- suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
  suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
  suricata
- suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
  suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Vidar Stealer
  stealer
- Downloads MZ/PE file
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1