Overview

overview

10

Static

static

Verona.bat

windows7-x64

8

Verona.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Verona.bat

  • Size

    21KB

  • Sample

    220904-a2p5taabf6

  • MD5

    d73bc2d37f4631d7aa4fef6a7d6504e6

  • SHA1

    4455eee3637f8beeee1108b220f383a4af93d603

  • SHA256

    5fa141c3c5398c40d382047d96832f488ebea8c37d9d297de3645ca1348b8043

  • SHA512

    d10de919156ce5de370755e6f01f49469bf06568526ca23fdabc5709308f79f9c97d9980d2fa891eaf0edb5905ef17fcece166bd9c1b3da1dddd257c9e93e9c2

  • SSDEEP

    384:SyLN3ekaTFYtaaX4SGKYwJ764W+SY9SRaHbbFiDPTJNIYPC7irxDkPwwjqb5dsAX:xLZ/aOFX7YwJ7RSLIiXD9ju3uwO

Score
10/10
dcratredlinedvdiscoveryevasionexploitinfostealerpersistencerat

Malware Config

Extracted

Family

redline

Botnet

Dv

C2

195.3.223.79:65252

Targets

    • Target

      Verona.bat

    • Size

      21KB

    • MD5

      d73bc2d37f4631d7aa4fef6a7d6504e6

    • SHA1

      4455eee3637f8beeee1108b220f383a4af93d603

    • SHA256

      5fa141c3c5398c40d382047d96832f488ebea8c37d9d297de3645ca1348b8043

    • SHA512

      d10de919156ce5de370755e6f01f49469bf06568526ca23fdabc5709308f79f9c97d9980d2fa891eaf0edb5905ef17fcece166bd9c1b3da1dddd257c9e93e9c2

    • SSDEEP

      384:SyLN3ekaTFYtaaX4SGKYwJ764W+SY9SRaHbbFiDPTJNIYPC7irxDkPwwjqb5dsAX:xLZ/aOFX7YwJ7RSLIiXD9ju3uwO

    Score
    10/10
    dcratredlinedvdiscoveryevasionexploitinfostealerpersistencerat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Modifies security service

      evasion

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Possible privilege escalation attempt

      exploit

    • Stops running service(s)

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

2
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Hidden Files and Directories

1
T1158

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

3
T1112

Impair Defenses

1
T1562

File Permissions Modification

1
T1222

Hidden Files and Directories

1
T1158

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Service Stop

1
T1489

Tasks