dcrat

General

Target

76a0f76bfda841ed6e838d21248f7eee27b3ade108f9f289b4046c3863963871
Size

141KB
Sample

220930-yc764aeed9
MD5

6a99031a0e0060edd7fe677df72f678a
SHA1

943b2d93b6578d9970a6067853a77f65537fa7f6
SHA256

76a0f76bfda841ed6e838d21248f7eee27b3ade108f9f289b4046c3863963871
SHA512

a1b9d2df17c66f8d0f6a3f8541815347044dbb75fd526cf0e583f93ada858482c92eb6f62755eefa36298e9dd36b8748188e1033eb63e4f32e9ed83990259f46
SSDEEP

3072:IyRpee6UA4LhtqdRS69uguKE/AeVlu2Xa82xmInnQ2C5+:I+1htTGu/KE/ACXQx1nnQr5+

Malware Config

Extracted

Family

djvu

C2

http://winnlinne.com/lancer/get.php

Attributes

extension
.ofww
offline_id
xkNzhkB1wvgoDI7Uo0HPNLY3qCuwoFpP7nlhlut1
payload_url
http://rgyui.top/dl/build2.exe

http://winnlinne.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-EWKSsSJiVn Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0569Jhyjd

rsa_pubkey.plain

Extracted

Family

vidar

Version

54.7

Botnet

517

C2

https://t.me/trampapanam

https://nerdculture.de/@yoxhyp

Attributes

profile_id
517

Extracted

Family

redline

Botnet

@POTERYAN2022

C2

88.218.170.211:59705

Extracted

Family

redline

Botnet

fud

C2

45.15.156.7:48638

Attributes

auth_value
da2faefdcf53c9d85fcbb82d0cbf4876

Extracted

Family

remcos

Botnet

traffic

C2

194.190.152.126:80

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
true
install_path
%WinDir%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-92IDED
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
true
take_screenshot_time
5
take_screenshot_title
exodus;metamask;ronin;phantom;atomic;binance;

Targets

- Target
  
  76a0f76bfda841ed6e838d21248f7eee27b3ade108f9f289b4046c3863963871
- Size
  
  141KB
- MD5
  
  6a99031a0e0060edd7fe677df72f678a
- SHA1
  
  943b2d93b6578d9970a6067853a77f65537fa7f6
- SHA256
  
  76a0f76bfda841ed6e838d21248f7eee27b3ade108f9f289b4046c3863963871
- SHA512
  
  a1b9d2df17c66f8d0f6a3f8541815347044dbb75fd526cf0e583f93ada858482c92eb6f62755eefa36298e9dd36b8748188e1033eb63e4f32e9ed83990259f46
- SSDEEP
  
  3072:IyRpee6UA4LhtqdRS69uguKE/AeVlu2Xa82xmInnQ2C5+:I+1htTGu/KE/ACXQx1nnQr5+
Score

10^/10

dcrat djvu redline remcos smokeloader vidar 517 @poteryan2022 fud traffic backdoor collection discovery evasion infostealer persistence ransomware rat spyware stealer trojan
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Detected Djvu ransomware
- Detects Smokeloader packer
- Djvu Ransomware
  Ransomware which is a variant of the STOP family.
  ransomware djvu
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Modifies security service
  evasion
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- UAC bypass
  evasion trojan
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1