Overview

overview

10

Static

static

Senox.bat

windows7-x64

8

Senox.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Senox.bat

  • Size

    24KB

  • Sample

    220905-wa41jsfef2

  • MD5

    5c127a3116ab79ccc8cc74a33a3b4e30

  • SHA1

    d8d30bc6689dc8eab0e1410eaa7320483537e2c2

  • SHA256

    0bb89898ef01a14ca19b062f0bbcaee1be2bfcb113e65bb32b84108bd1009d9f

  • SHA512

    7090111935c4302c87633442ba4616ac35c80fca5a3ae7cf25d8d46b29422a5a931e07b2b66ef03a0b368e9b480a54cb4b7c1b229c25cac775281d22aaaefe2d

  • SSDEEP

    384:gM09FmyhR3aY6AggTTgMPZXffUzyJpt8RL+3GSKwl5KYABdM:g91EAgkPZXffUOJ0Ry3GSfYYABdM

Score
10/10
dcratdiscoveryevasionexploitinfostealerratspywarestealer

Malware Config

Targets

    • Target

      Senox.bat

    • Size

      24KB

    • MD5

      5c127a3116ab79ccc8cc74a33a3b4e30

    • SHA1

      d8d30bc6689dc8eab0e1410eaa7320483537e2c2

    • SHA256

      0bb89898ef01a14ca19b062f0bbcaee1be2bfcb113e65bb32b84108bd1009d9f

    • SHA512

      7090111935c4302c87633442ba4616ac35c80fca5a3ae7cf25d8d46b29422a5a931e07b2b66ef03a0b368e9b480a54cb4b7c1b229c25cac775281d22aaaefe2d

    • SSDEEP

      384:gM09FmyhR3aY6AggTTgMPZXffUzyJpt8RL+3GSKwl5KYABdM:g91EAgkPZXffUOJ0Ry3GSfYYABdM

    Score
    10/10
    dcratdiscoveryevasionexploitinfostealerratspywarestealer

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Modifies security service

      evasion

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Possible privilege escalation attempt

      exploit

    • Stops running service(s)

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

2
T1031

Scheduled Task

1
T1053

Hidden Files and Directories

1
T1158

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Impair Defenses

1
T1562

File Permissions Modification

1
T1222

Hidden Files and Directories

1
T1158

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Service Stop

1
T1489

Tasks