General
-
Target
4363463463464363463463463.bin.zip
-
Size
4KB
-
Sample
240121-tkz38sefc2
-
MD5
4631cbe175fad05910b1139561fc91ea
-
SHA1
73a34a73b513af9aed3447e60f1800cb1f3659d0
-
SHA256
1dfb7d09daa0bece4197d998a72acac7deebaf2ff54b4461667495a41240d0e8
-
SHA512
d0f99552dc38a334111756828d6bea33c3c02f856b2a7158fecba21d334965f009678fb6696ef955edbdd9d4c8c31eaba5e99933060c2f6139b8bf88ccb5f5c7
-
SSDEEP
96:m+oAmv2DIQNrEXStcOxJRvOy1pf8iyOo6CH8ecxeZJeK3SSmjHIge:Ntmv2DjNrEX+PxLub6CceckZJeKh2HU
Static task
static1
Behavioral task
behavioral1
Sample
4363463463464363463463463.exe
Resource
win10-20231215-en
Malware Config
Extracted
smokeloader
pub1
Extracted
risepro
185.149.146.75:50500
Extracted
asyncrat
1.0.7
Default
127.0.0.1:1604
185.169.180.209:1604
DcRatMutex_qwqdanchun
-
delay
1
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
4363463463464363463463463.bin
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect ZGRat V1
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
SectopRAT payload
-
Async RAT payload
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Executes dropped EXE
-
Loads dropped DLL
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Subvert Trust Controls
1Install Root Certificate
1Modify Registry
1