dcrat

General

Target

BLOXFLIP-Predictor-main.zip
Size

123KB
Sample

220903-jpsvlsecd9
MD5

28c28161403630ca68d42a4af4c29480
SHA1

82ff950edad08f33a9b79dd85016432850ce9d5b
SHA256

ec9841cb538722c15ef2900a750f8cc9a50f2b26d35078819117e180c1926e78
SHA512

152403206ede6dbaeb444c771336c857657d9988f1bca3264817598ca6e427892830021ed99ce85858c5426902b4ea133c9f2bb9e514ce4687922cc8209204ab
SSDEEP

3072:7NuWTMAD9YKMDYnVsYQpoJNSrOdvxQBdELM:7NuK90kV0moOq9

Score

10^/10

dcrat redline dv discovery evasion exploit infostealer rat spyware stealer

Malware Config

Extracted

Family

redline

Botnet

Dv

C2

195.3.223.79:65252

Targets

- Target
  
  BLOXFLIP-Predictor-main/BloxPredictor.bat
- Size
  
  24KB
- MD5
  
  2ce736935920d83e5d55570739ca8c17
- SHA1
  
  9aab2f25403a0fe6921c152f61ed3d2ceacfad49
- SHA256
  
  001c531b29372d4f6c7697ac00a575773470d23c8681d1d5930aa1e4cd860b76
- SHA512
  
  c58589dbcf5a23ca2cd9284733db20659b81850a33bc6eddf6379507fb7307a569019373168665fee93c02d42bdd3ee3c42377db7e16405e32f6e7554d8a3de0
- SSDEEP
  
  768:lsh2CrG0Qz6Ee7Z+x4a7eE8xRrQAh+WVqMJzO:BCrGrGE7x4a7eDfrQAh+SJzO
Score

10^/10

dcrat redline dv discovery evasion exploit infostealer rat spyware stealer
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Modifies security service
  evasion
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Drops file in Drivers directory
- Executes dropped EXE
- Possible privilege escalation attempt
  exploit
- Stops running service(s)
  evasion
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1
- Target
  
  BLOXFLIP-Predictor-main/DiscordHookSender.dll
- Size
  
  232KB
- MD5
  
  267a1dbc11b46409246492103e61f6cf
- SHA1
  
  0bfdcec52aa12159c3d7f8031f9d18d0e067766b
- SHA256
  
  f97600ec337e617940502efcfce7ff0fe4bfabee00f4726d43716fa5ecd0ec71
- SHA512
  
  2224c1ba1dfd193b0111deef4b793566945ae7709057cc2748564271a43ec870a0e4ea1619cdf411aec6d876c11463e995ce1efd406ff8cfda5b53e5026ad266
- SSDEEP
  
  3072:vJ/QKDUjSmd+Cr98BGtdV0F9UmFuT2sBLmTf0QZSkJqsDloKgfIiwVxxOrpoiKyW:vJnU2MWsVmFuT2cLkf0QZSUUufCFmWk
Score

1^/10
behavioral2
- Target
  
  BLOXFLIP-Predictor-main/README.md
- Size
  
  1KB
- MD5
  
  72b7350921fe5f31a779a24e9429ae8d
- SHA1
  
  8cf1e3334cfe74c1ad910b9280c95cbeb1724ada
- SHA256
  
  499dfd70a837fcf2d91f32a1854e0faac24ad5810f1633f4fe2191e9337a2ba1
- SHA512
  
  d3afa91a7b4dc8251d1a12cfb80fe5fdec210a2f7c0b4673d6354cc595b636d5857664ec334b86aa27ac8c60aa256fbb1f84a9be96e75a08fabe3ed9a498f251
Score

3^/10
behavioral3