dcrat

General

Target

d70c78709aed556d398e6144a7c8b607cc4b80c955a50fa60aa29fb21c3614be
Size

957KB
Sample

231101-zp39caeg86
MD5

cbe32f1fcf5a77fe198bccdce3067827
SHA1

9f542ad5bc75e53bce25a79281a9ae9986f1cb95
SHA256

d70c78709aed556d398e6144a7c8b607cc4b80c955a50fa60aa29fb21c3614be
SHA512

069af973fb48f149f6c3bc42542fe1f21133787db19b832733c5781396c0bc4d70a0253602e70b5ee8e41bce5f1bbabf102322f6dd7575cd3f1d144f4a04d1db
SSDEEP

12288:KbcUfo2dAKlpItf+BV3XHSlHYBPHJqXbmxoRj3cQpRnRu9cdTEkV:XUw2dAK4tf+BVHHkIoRj3cQD

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

grome

C2

77.91.124.86:19084

Extracted

Family

redline

Botnet

kinza

C2

77.91.124.86:19084

Targets

- Target
  
  d70c78709aed556d398e6144a7c8b607cc4b80c955a50fa60aa29fb21c3614be
- Size
  
  957KB
- MD5
  
  cbe32f1fcf5a77fe198bccdce3067827
- SHA1
  
  9f542ad5bc75e53bce25a79281a9ae9986f1cb95
- SHA256
  
  d70c78709aed556d398e6144a7c8b607cc4b80c955a50fa60aa29fb21c3614be
- SHA512
  
  069af973fb48f149f6c3bc42542fe1f21133787db19b832733c5781396c0bc4d70a0253602e70b5ee8e41bce5f1bbabf102322f6dd7575cd3f1d144f4a04d1db
- SSDEEP
  
  12288:KbcUfo2dAKlpItf+BV3XHSlHYBPHJqXbmxoRj3cQpRnRu9cdTEkV:XUw2dAK4tf+BVHHkIoRj3cQD
Score

10^/10

redline smokeloader grome backdoor infostealer persistence trojan dcrat kinza microsoft paypal phishing rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Detected potential entity reuse from brand microsoft.
  phishing microsoft
- Detected potential entity reuse from brand paypal.
  phishing paypal
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2