dcrat

General

Target

file.exe
Size

3.6MB
Sample

231029-a1rx1sea4w
MD5

69b35056fa8377916fd5352ad665221e
SHA1

8cbcb3514fd4d6fa96d381872044785172d3cd38
SHA256

8defddf3ccf1ca34a7338088a7c98f08569532d0474a5221533b715364921f86
SHA512

66877457ad8b805134fdf25db830cceab66bc2d40f161d2ad7442feb6655b15f51b528d797bb1dda5a6f2bde6459d60515d41de040e04dadc7fbb1232fc59383
SSDEEP

49152:9pOoRzMqCUn7xYdZlmQp/8/mm9/zSrzA/atbpHc/109nSJTl0pox+GgLOz+q6JPf:mtufEJMlwZJ

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

vidar

Version

6.2

Botnet

ecfea5e785cf6eb1f47a5865492bbbb3

C2

https://steamcommunity.com/profiles/76561199564671869

https://t.me/scubytale

Attributes

profile_id_v2
ecfea5e785cf6eb1f47a5865492bbbb3
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 OPR/104.0.0.0

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Targets

- Target
  
  file.exe
- Size
  
  3.6MB
- MD5
  
  69b35056fa8377916fd5352ad665221e
- SHA1
  
  8cbcb3514fd4d6fa96d381872044785172d3cd38
- SHA256
  
  8defddf3ccf1ca34a7338088a7c98f08569532d0474a5221533b715364921f86
- SHA512
  
  66877457ad8b805134fdf25db830cceab66bc2d40f161d2ad7442feb6655b15f51b528d797bb1dda5a6f2bde6459d60515d41de040e04dadc7fbb1232fc59383
- SSDEEP
  
  49152:9pOoRzMqCUn7xYdZlmQp/8/mm9/zSrzA/atbpHc/109nSJTl0pox+GgLOz+q6JPf:mtufEJMlwZJ
Score

10^/10

glupteba smokeloader vidar ecfea5e785cf6eb1f47a5865492bbbb3 pub1 backdoor dropper evasion loader stealer trojan upx vmprotect dcrat discovery infostealer rat spyware
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Downloads MZ/PE file
- Drops file in Drivers directory
- Modifies Windows Firewall
  evasion
- Stops running service(s)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2