dcrat

General

Target

file
Size

241KB
Sample

240118-tqmebsdga9
MD5

ca601143e3801beb25bc5d37c6023d09
SHA1

c0998a01358054ba5196d5a7e867dc7e06faf592
SHA256

b52028609b92de2f7a3621621f2d3b3de11f48c16b1d612ad2efebb2af4af2a2
SHA512

6ffc615329ceb9fcf10949ac0e521f08908835f74658d084752ad2ad3fca5fd708a98e2d8188efe52d371bde3020591cddbcd696ead4dba0bb3069d68cdaba34
SSDEEP

6144:06EXHjhWyU9nnLlIgv947F31oBNBhSb2:HWHjhU1nBNEB1o2K

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://selebration17io.io/index.php

http://vacantion18ffeu.cc/index.php

http://valarioulinity1.net/index.php

http://buriatiarutuhuob.net/index.php

http://cassiosssionunu.me/index.php

http://sulugilioiu19.net/index.php

http://goodfooggooftool.net/index.php

http://gxutc2c.com/tmp/index.php

http://proekt8.ru/tmp/index.php

http://mth.com.ua/tmp/index.php

http://pirateking.online/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php

rc4.i32

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

stealc

C2

http://185.172.128.79

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Targets

- Target
  
  file
- Size
  
  241KB
- MD5
  
  ca601143e3801beb25bc5d37c6023d09
- SHA1
  
  c0998a01358054ba5196d5a7e867dc7e06faf592
- SHA256
  
  b52028609b92de2f7a3621621f2d3b3de11f48c16b1d612ad2efebb2af4af2a2
- SHA512
  
  6ffc615329ceb9fcf10949ac0e521f08908835f74658d084752ad2ad3fca5fd708a98e2d8188efe52d371bde3020591cddbcd696ead4dba0bb3069d68cdaba34
- SSDEEP
  
  6144:06EXHjhWyU9nnLlIgv947F31oBNBhSb2:HWHjhU1nBNEB1o2K
Score

10^/10

glupteba smokeloader stealc pub1 backdoor bootkit dropper evasion loader persistence stealer trojan upx dcrat discovery infostealer rat spyware
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Contacts a large (552) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2