General
-
Target
27425AB21814ACDC92665957CE92F326A46EA99131EF3.exe
-
Size
2.5MB
-
Sample
221004-y4zc9scdb5
-
MD5
3e04b8ba6cbccb22f3a1cbb98b092990
-
SHA1
ce6176c44798b5104f87c8f37330041f7911b97f
-
SHA256
27425ab21814acdc92665957ce92f326a46ea99131ef32df83ccaeaaa5228c20
-
SHA512
8c1c8ac110c9aa43412d5569e20239704c53268b33ba88b74f8d85f00dc07fb8291d85937bcfe2459e0f54a1bbbde2f966057aff34a012a77350d86bb7c5641f
-
SSDEEP
49152:EggBDSuw1VkMpraG6d23GG49DSP4FDHhJaO69QGnMg4PPqZi5r:JxVVjsd2Z/AlNq9MgcPH5r
Malware Config
Extracted
nullmixer
http://sokiran.xyz/
Extracted
vidar
39.6
933
https://sslamlssa1.tumblr.com/
-
profile_id
933
Extracted
nymaim
208.67.104.97
85.31.46.167
Extracted
vidar
54.9
1679
https://t.me/larsenup
https://ioc.exchange/@zebra54
-
profile_id
1679
Extracted
raccoon
f65d012b021e6e8fcaa9c1a04b6d5107
http://64.44.102.241
http://64.44.102.116
Targets
-
-
Target
27425AB21814ACDC92665957CE92F326A46EA99131EF3.exe
-
Size
2.5MB
-
MD5
3e04b8ba6cbccb22f3a1cbb98b092990
-
SHA1
ce6176c44798b5104f87c8f37330041f7911b97f
-
SHA256
27425ab21814acdc92665957ce92f326a46ea99131ef32df83ccaeaaa5228c20
-
SHA512
8c1c8ac110c9aa43412d5569e20239704c53268b33ba88b74f8d85f00dc07fb8291d85937bcfe2459e0f54a1bbbde2f966057aff34a012a77350d86bb7c5641f
-
SSDEEP
49152:EggBDSuw1VkMpraG6d23GG49DSP4FDHhJaO69QGnMg4PPqZi5r:JxVVjsd2Z/AlNq9MgcPH5r
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detects Smokeloader packer
-
Modifies Windows Defender Real-time Protection settings
-
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
-
NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Vidar Stealer
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Downloads MZ/PE file
-
Executes dropped EXE
-
VMProtect packed file
Detects executables packed with VMProtect commercial packer.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Uses the VBS compiler for execution
-
Accesses 2FA software files, possible credential harvesting
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
3Disabling Security Tools
1Virtualization/Sandbox Evasion
1File Permissions Modification
1Scripting
1Install Root Certificate
1