dcrat

General

Target

880cfe391a3652fee015dda49d156bbe047fabbd1eb77ce1560b8a64ebc66604
Size

244KB
Sample

240206-xjdemadeb6
MD5

79c996f4d780bc235cf93c973fe9ba7d
SHA1

ce84ecc4cae48aa39d864adeb278a08221521ac4
SHA256

880cfe391a3652fee015dda49d156bbe047fabbd1eb77ce1560b8a64ebc66604
SHA512

4424c393c21f73c7c71dcbbdf743ea9d5880402ad0c13db2ca43068ce28dc81be9e1f3625e499b999a91fea7a4302a9f40b1ba2ffde455810cd1e79e8627c7a7
SSDEEP

6144:FGKwnhrkDwlSJ/OjtXfMZ92E6rxlVram1h:FGKwnlCwlSRAtvMZ922+

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://selebration17io.io/index.php

http://vacantion18ffeu.cc/index.php

http://valarioulinity1.net/index.php

http://buriatiarutuhuob.net/index.php

http://cassiosssionunu.me/index.php

http://sulugilioiu19.net/index.php

http://goodfooggooftool.net/index.php

http://sjyey.com/tmp/index.php

http://babonwo.ru/tmp/index.php

http://mth.com.ua/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php

rc4.i32

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Credentials

Protocol: ftp
Host:
crownsupportservices.co.uk
Port:
21
Username:
[email protected]
Password:
Petrolhead12

Extracted

Credentials

Protocol: ftp
Host:
crownsupportservices.co.uk
Port:
21
Username:
info
Password:
Petrolhead12

Extracted

Credentials

Protocol: ftp
Host:
crownsupportservices.co.uk
Port:
21
Username:
admin
Password:
Petrolhead12

Targets

- Target
  
  880cfe391a3652fee015dda49d156bbe047fabbd1eb77ce1560b8a64ebc66604
- Size
  
  244KB
- MD5
  
  79c996f4d780bc235cf93c973fe9ba7d
- SHA1
  
  ce84ecc4cae48aa39d864adeb278a08221521ac4
- SHA256
  
  880cfe391a3652fee015dda49d156bbe047fabbd1eb77ce1560b8a64ebc66604
- SHA512
  
  4424c393c21f73c7c71dcbbdf743ea9d5880402ad0c13db2ca43068ce28dc81be9e1f3625e499b999a91fea7a4302a9f40b1ba2ffde455810cd1e79e8627c7a7
- SSDEEP
  
  6144:FGKwnhrkDwlSJ/OjtXfMZ92E6rxlVram1h:FGKwnlCwlSRAtvMZ922+
Score

10^/10

glupteba povertystealer smokeloader pub1 backdoor dropper evasion loader persistence stealer trojan upx dcrat bootkit discovery infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Detect Poverty Stealer Payload
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- Poverty Stealer
  Poverty Stealer is a crypto and infostealer written in C++.
  stealer povertystealer
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Creates new service(s)
  persistence
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Modifies boot configuration data using bcdedit
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2