dcrat

General

Target

87be6f628553d89007fd8f7d0758d42906f2ee7d84ca18e961cb463921061a42.zip
Size

3.1MB
Sample

221114-lqmq4age55
MD5

0c6bc7381ac4654fe75dd7565c1eff7b
SHA1

5aeccea347346cf6f77c954c855bf98a4fefbbea
SHA256

b1f5584383eb0f2a73f571d094ea2e9a69f76bf0ff4df8989d2125bad3c2802d
SHA512

bccc61aac14b67915772a54e065be4f1fbf8ecc11a547367eb68a0e3ee75be1b69990d6ff11a5629a4882796320d460cc4924bafdfacbfbc57c465d585f571f2
SSDEEP

98304:Az+ynMqxV3nXW5h3Fy0UvqQDg00Fnz8M4c9fxl3qgdF9zlWM:Az+ynMoFI3FyLJgxFnz8Rkfxl3qqD

Score

10^/10

Malware Config

Extracted

Family

socelars

C2

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.wygexde.xyz/

Extracted

Family

ffdroider

C2

http://101.36.107.74

Extracted

Family

vidar

Version

55.6

Botnet

1679

C2

https://t.me/seclab_new

https://raw.githubusercontent.com/sebekeloytfu/simple-bash-scripts/master/calculator.sh

Attributes

profile_id
1679

Targets

- Target
  
  87be6f628553d89007fd8f7d0758d42906f2ee7d84ca18e961cb463921061a42.exe
- Size
  
  3.2MB
- MD5
  
  96a1b2af40343e118e8eab30c9dc5c14
- SHA1
  
  3f3a3d8335da174a3fa64cd60a72696d925b3818
- SHA256
  
  87be6f628553d89007fd8f7d0758d42906f2ee7d84ca18e961cb463921061a42
- SHA512
  
  9e747f9ced93bb793d1e4d97623fd6d1ab0ec7664b52cbd1258b1a4e8ffcefa6394abd5943f1731a4bcf8a058920ef0ec592aac33a7bc25060266fc043ae946a
- SSDEEP
  
  98304:UbADpNv9UyFximtuWtnL4iZ1Xxqsvk3upL/J5:UyxHtugLn38svkuLX
Score

10^/10

ffdroider privateloader smokeloader socelars backdoor discovery evasion loader spyware stealer trojan vmprotect dcrat vidar 1679 infostealer persistence rat themida
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Detects Smokeloader packer
- FFDroider
  Stealer targeting social media platform users first seen in April 2022.
  stealer ffdroider
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Downloads MZ/PE file
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Drops Chrome extension
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2