dcrat | a754e3d045adbd88b59a7b80ea127636f710c4183001cce2b7614611b7c141e4 | Triage

Sharing

General

Target

a754e3d045adbd88b59a7b80ea127636f710c4183001cce2b7614611b7c141e4
Size

194KB
Sample

230323-r173nsgd23
MD5

de2cc5ab0c1b901b1d57a0e10c0185be
SHA1

f7d3144acc8e7473b8fb0c93cdc69632ea2de3ac
SHA256

a754e3d045adbd88b59a7b80ea127636f710c4183001cce2b7614611b7c141e4
SHA512

492fea5d91d8121432779fb4e01c6a5371b9fbe6675ecc9a32e416c583107e60ea160eeaa010cc83e7ace640ed7e31172ab1f4a3217526412cc9810960510be7
SSDEEP

3072:lSbONVWNIbrL8vTk1Wi5XiKR0Cf6MzjN+C1HQJISv5f9juaQE4nL:lSbFcrL8o1fikjNzQJn51juaQE

Score

10^/10

dcrat redline smokeloader 2023 2061513232 @fbskupbro backdoor infostealer persistence rat spyware trojan

Malware Config

Extracted

Family

smokeloader

Botnet

2023

Extracted

Family

smokeloader

Version

2022

C2

http://c3g6gx853u6j.xyz/

http://04yh16065cdi.xyz/

http://33qd2w560vnx.xyz/

http://neriir0f76gr.com/

http://b4y08hrp3jdb.com/

http://swp6fbywla09.com/

http://7iqt53dr345u.com/

http://mj4aj8r55mho.com/

http://ne4ym7bjn1ts.com/

rc4.i32

rc4.i32

Extracted

Family

redline

Botnet

2061513232

C2

animalstyle.top:40309

Attributes

auth_value
06a7f7ef22670041a9614bb874d7e5fb

Extracted

Family

redline

Botnet

@FBSKUPBRO

C2

185.215.113.69:15544

Attributes

auth_value
5ebb0a18eb4f39a4158a145905cba2a4

Targets

- Target
  
  a754e3d045adbd88b59a7b80ea127636f710c4183001cce2b7614611b7c141e4
- Size
  
  194KB
- MD5
  
  de2cc5ab0c1b901b1d57a0e10c0185be
- SHA1
  
  f7d3144acc8e7473b8fb0c93cdc69632ea2de3ac
- SHA256
  
  a754e3d045adbd88b59a7b80ea127636f710c4183001cce2b7614611b7c141e4
- SHA512
  
  492fea5d91d8121432779fb4e01c6a5371b9fbe6675ecc9a32e416c583107e60ea160eeaa010cc83e7ace640ed7e31172ab1f4a3217526412cc9810960510be7
- SSDEEP
  
  3072:lSbONVWNIbrL8vTk1Wi5XiKR0Cf6MzjN+C1HQJISv5f9juaQE4nL:lSbFcrL8o1fikjNzQJn51juaQE
Score

10^/10

smokeloader 2023 backdoor trojan dcrat redline 2061513232 @fbskupbro infostealer persistence rat spyware
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Executes dropped EXE
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Web Service

Credential Access

Credentials in Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

smokeloader2023backdoortrojan

behavioral2

dcratredlinesmokeloader20232061513232@fbskupbrobackdoorinfostealerpersistenceratspywaretrojan