dcrat

Sharing

Copy URL Twitter E-mail

General

Target

0b27c3a34bff5b4395b84451f8dba5640dda751df1f37b0c99b6b4e226df26ec
Size

329KB
Sample

231122-feskbaac22
MD5

a0bf331f8cba1e1362a1717d119ce8dd
SHA1

e6b1e4b838ec7ac21929bd61698eebf69252d93e
SHA256

0b27c3a34bff5b4395b84451f8dba5640dda751df1f37b0c99b6b4e226df26ec
SHA512

119bd0b640125f7711e7127c12f589f4d62891451f3c34df5ced365b65ad386997e017836586ed87cdb306b7982e81576d35e2fec2943c5521c6e86e89deb571
SSDEEP

3072:u9xASTrembWVr6iOMBJiIqCmCN+bnAaYTYAY62Rebiebp80C2:mzymb862niznrLrYZYUbie3

Malware Config

Extracted

Family

smokeloader

Version

2022

http://onualituyrs.org/

http://sumagulituyo.org/

http://snukerukeutit.org/

http://lightseinsteniki.org/

http://liuliuoumumy.org/

http://stualialuyastrelia.net/

http://kumbuyartyty.net/

http://criogetikfenbut.org/

http://tonimiuyaytre.org/

http://tyiuiunuewqy.org/

http://dpav.cc/tmp/

http://lrproduct.ru/tmp/

http://kggcp.com/tmp/

http://talesofpirates.net/tmp/

http://pirateking.online/tmp/

http://piratia.pw/tmp/

http://go-piratia.ru/tmp/

rc4.i32

Extracted

Family

djvu

http://zexeq.com/lancer/get.php

Attributes

extension
.iicc
offline_id
MI4io8cIlhyYsGaDxoKsbpWzfIe5lGPE0dYtrht1
payload_url
http://brusuax.com/dl/build2.exe

http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-Y6UIMfI736 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0826ASdw

rsa_pubkey.plain

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

redline

Botnet

LogsDiller Cloud (Bot: @logsdillabot)

194.49.94.142:41292

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Targets

- Target
  
  0b27c3a34bff5b4395b84451f8dba5640dda751df1f37b0c99b6b4e226df26ec
- Size
  
  329KB
- MD5
  
  a0bf331f8cba1e1362a1717d119ce8dd
- SHA1
  
  e6b1e4b838ec7ac21929bd61698eebf69252d93e
- SHA256
  
  0b27c3a34bff5b4395b84451f8dba5640dda751df1f37b0c99b6b4e226df26ec
- SHA512
  
  119bd0b640125f7711e7127c12f589f4d62891451f3c34df5ced365b65ad386997e017836586ed87cdb306b7982e81576d35e2fec2943c5521c6e86e89deb571
- SSDEEP
  
  3072:u9xASTrembWVr6iOMBJiIqCmCN+bnAaYTYAY62Rebiebp80C2:mzymb862niznrLrYZYUbie3
Score

10^/10

dcrat djvu glupteba redline smokeloader logsdiller cloud (bot: @logsdillabot)pub1 backdoor collection discovery dropper evasion infostealer loader persistence ransomware rat spyware stealer themida trojan upx up3
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Detected Djvu ransomware
- Detects DLL dropped by Raspberry Robin.
  Raspberry Robin.
- Djvu Ransomware
  Ransomware which is a variant of the STOP family.
  ransomware djvu
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateUserProcessOtherParentProcess
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Modifies boot configuration data using bcdedit
- Downloads MZ/PE file
- Drops file in Drivers directory
- Modifies Windows Firewall
  evasion
- Possible attempt to disable PatchGuard
  Rootkits can use kernel patching to embed themselves in an operating system.
  evasion
- Stops running service(s)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Windows security modification
  evasion trojan
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2