Overview
overview
10Static
static
1PROPAMAT/ResIL.dll
windows7-x64
1PROPAMAT/ResIL.dll
windows10-2004-x64
1PROPAMAT/c...lf.dll
windows7-x64
1PROPAMAT/c...lf.dll
windows10-2004-x64
1PROPAMAT/dbghelp.dll
windows7-x64
1PROPAMAT/dbghelp.dll
windows10-2004-x64
1PROPAMAT/lgc_api.dll
windows7-x64
1PROPAMAT/lgc_api.dll
windows10-2004-x64
1prom/ResIL.dll
windows7-x64
1prom/ResIL.dll
windows10-2004-x64
1prom/dbghelp.dll
windows7-x64
1prom/dbghelp.dll
windows10-2004-x64
1prom/hro.dll
windows7-x64
1prom/hro.dll
windows10-2004-x64
1prom/lgc_api.dll
windows7-x64
1prom/lgc_api.dll
windows10-2004-x64
1prom/me_elf.dll
windows7-x64
1prom/me_elf.dll
windows10-2004-x64
1setup.exe
windows7-x64
10setup.exe
windows10-2004-x64
General
-
Target
Artic_X!.7z
-
Size
9.2MB
-
Sample
240213-y6mr9agh6w
-
MD5
592d4a4f55e0498305aa4925ca5df5d2
-
SHA1
8fe47a7347d7620c594fd48c095795b38c058268
-
SHA256
dae8c36b46d77bb082e26366ff253f26948c946ed42ae2e0cbcb580588e69257
-
SHA512
538453645d8b63b765eb354c61c4988d367e58b94d50bfcfce66912fba844ae658aa4b9182cdf45f43851efb8b8bfe3464c0de737109921ef3d1a1a4428e86dc
-
SSDEEP
196608:0s15S+lJA0p9lVxZRVrxy5nT3hxpAJESeoiFLUd+ZajdkmDW:0s7bzLzRVw5nT7wbGpUEZCk+W
Static task
static1
Behavioral task
behavioral1
Sample
PROPAMAT/ResIL.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
PROPAMAT/ResIL.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
PROPAMAT/chrome_elf.dll
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
PROPAMAT/chrome_elf.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
PROPAMAT/dbghelp.dll
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
PROPAMAT/dbghelp.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
PROPAMAT/lgc_api.dll
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
PROPAMAT/lgc_api.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral9
Sample
prom/ResIL.dll
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
prom/ResIL.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral11
Sample
prom/dbghelp.dll
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
prom/dbghelp.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
prom/hro.dll
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
prom/hro.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral15
Sample
prom/lgc_api.dll
Resource
win7-20231215-en
Behavioral task
behavioral16
Sample
prom/lgc_api.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
prom/me_elf.dll
Resource
win7-20231129-en
Behavioral task
behavioral18
Sample
prom/me_elf.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral19
Sample
setup.exe
Resource
win7-20231215-en
Behavioral task
behavioral20
Sample
setup.exe
Resource
win10v2004-20231215-en
Malware Config
Extracted
stealc
http://185.172.128.24
-
url_path
/f993692117a3fda2.php
Extracted
smokeloader
pub3
Extracted
risepro
193.233.132.62
193.233.132.67:50500
193.233.132.49:50500
Extracted
smokeloader
2022
http://sjyey.com/tmp/index.php
http://babonwo.ru/tmp/index.php
http://mth.com.ua/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
Extracted
tofsee
vanaheim.cn
jotunheim.name
Extracted
amadey
4.14
http://anfesq.com
http://cbinr.com
http://rimakc.ru
-
install_dir
68fd3d7ade
-
install_file
Utsysc.exe
-
strings_key
27ec7fd6f50f63b8af0c1d3deefcc8fe
-
url_paths
/forum/index.php
Extracted
lumma
https://resergvearyinitiani.shop/api
Extracted
socks5systemz
http://boveifp.com/search/?q=67e28dd83e5df42e425dfd4e7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a571ea771795af8e05c645db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ef819c5e9959a3c
http://boveifp.com/search/?q=67e28dd83e5df42e425dfd4e7c27d78406abdd88be4b12eab517aa5c96bd86e99c824896148ab2865b77f80ebad9c40f7cb63037ed2ab423a4604383ba915d911ec07bb606a0708727e40ea678c45abbe74ffb0e2807e12571c17f3e83fe16c0e89d9f3dcd6f91
Targets
-
-
Target
PROPAMAT/ResIL.dll
-
Size
1.7MB
-
MD5
db09096c78ff5762f4b5487fa8b0fa5f
-
SHA1
1f7dd2ea79e2ee986bb5285e3f304a8bc83bc1b2
-
SHA256
a2d3d003bef45587349be9d6c715eefc0a104cf645338e2582b34c96d989e100
-
SHA512
cd6566d633e4901f9be9bf38e085c434bcbf8335147da56b225d7d468297464710055aa8f8f27e2ac0e7820c19823e620ab1ebd602bcc0f625b9c9418eec5509
-
SSDEEP
49152:qd4f2DvxlaBqB7S4dnf2BRBNRMhGTs1p5:sS4oE7
Score1/10 -
-
-
Target
PROPAMAT/chrome_elf.dll
-
Size
812KB
-
MD5
9a861199039507ef92b3ad2832cc9cec
-
SHA1
ade7859a7bfea123fe37e6049ff6292605efba86
-
SHA256
55fadde5e569cbe804abe26f4dfcb56595fc79e2bad91625df2309e5bd385266
-
SHA512
3c6cf96bb3ae4f49f57f594615192c678088b7c7cdec0e00ae85232c81f9461eca985118ca7d130854ba9fc0b917b176f94d90c5e3af6dce3b328f0ac5bf8aa2
-
SSDEEP
12288:UXxR37jWxg2Yb4zb9EF11sfWqEfROOtupHg1dsbDcgInQok7t6:UBxjW+lb4zZEFcwoOgpHOibDPVNZ6
Score1/10 -
-
-
Target
PROPAMAT/dbghelp.dll
-
Size
1020KB
-
MD5
74edbb03de3291fcf2094af1fb363f1d
-
SHA1
16b5d948ed7843576781dc4f2a391607ac0120a4
-
SHA256
dca9f45efed8eab442b491aebda3e3cce7f5f9fc5de527d2dbdfd85a5be85dfa
-
SHA512
b08eb03c54f25979c5aee745530ecd51c5761eb99871b867ff84e14590b32ef3247e17cf63bf953ee1efcb0fda8c4540191b9280db33359fdca352967e42b289
-
SSDEEP
24576:YXm4cpDFYD2aC0jH5yrrXlpWrCSyZC0wLHr298TG00g8EAB4a:hpKD2aC0jH5yr7DWRyZlwH29vjDIa
Score1/10 -
-
-
Target
PROPAMAT/lgc_api.dll
-
Size
2.2MB
-
MD5
f0b570e6ec2a1c395fef9a0bf893520b
-
SHA1
527040ce92dce6467e4feb8522e95b6f8b5963b1
-
SHA256
6d84c3e3a6d3e5793d0cb99c3b65a1c07985c3d821bfa5e092c4ef1b474988a9
-
SHA512
8b6fa3b58e1376a99555331a681fa237840d33e6c9ec54c5f1c21c0b37187f22a66ab80c0852f70e2888472cca7c219713c2f08561896c1d5a1dcc17c52748c3
-
SSDEEP
24576:hszqYiXwgjMMzsdH5yeknRHv+3zxZl9xbWNS/JlIVcV9rj/lq+ry:iqYosZyVWjF9lWNS/7IE9rj/lbG
Score1/10 -
-
-
Target
prom/ResIL.dll
-
Size
1.7MB
-
MD5
db09096c78ff5762f4b5487fa8b0fa5f
-
SHA1
1f7dd2ea79e2ee986bb5285e3f304a8bc83bc1b2
-
SHA256
a2d3d003bef45587349be9d6c715eefc0a104cf645338e2582b34c96d989e100
-
SHA512
cd6566d633e4901f9be9bf38e085c434bcbf8335147da56b225d7d468297464710055aa8f8f27e2ac0e7820c19823e620ab1ebd602bcc0f625b9c9418eec5509
-
SSDEEP
49152:qd4f2DvxlaBqB7S4dnf2BRBNRMhGTs1p5:sS4oE7
Score1/10 -
-
-
Target
prom/dbghelp.dll
-
Size
1020KB
-
MD5
74edbb03de3291fcf2094af1fb363f1d
-
SHA1
16b5d948ed7843576781dc4f2a391607ac0120a4
-
SHA256
dca9f45efed8eab442b491aebda3e3cce7f5f9fc5de527d2dbdfd85a5be85dfa
-
SHA512
b08eb03c54f25979c5aee745530ecd51c5761eb99871b867ff84e14590b32ef3247e17cf63bf953ee1efcb0fda8c4540191b9280db33359fdca352967e42b289
-
SSDEEP
24576:YXm4cpDFYD2aC0jH5yrrXlpWrCSyZC0wLHr298TG00g8EAB4a:hpKD2aC0jH5yr7DWRyZlwH29vjDIa
Score1/10 -
-
-
Target
prom/hro.dll
-
Size
812KB
-
MD5
9a861199039507ef92b3ad2832cc9cec
-
SHA1
ade7859a7bfea123fe37e6049ff6292605efba86
-
SHA256
55fadde5e569cbe804abe26f4dfcb56595fc79e2bad91625df2309e5bd385266
-
SHA512
3c6cf96bb3ae4f49f57f594615192c678088b7c7cdec0e00ae85232c81f9461eca985118ca7d130854ba9fc0b917b176f94d90c5e3af6dce3b328f0ac5bf8aa2
-
SSDEEP
12288:UXxR37jWxg2Yb4zb9EF11sfWqEfROOtupHg1dsbDcgInQok7t6:UBxjW+lb4zZEFcwoOgpHOibDPVNZ6
Score1/10 -
-
-
Target
prom/lgc_api.dll
-
Size
2.2MB
-
MD5
f0b570e6ec2a1c395fef9a0bf893520b
-
SHA1
527040ce92dce6467e4feb8522e95b6f8b5963b1
-
SHA256
6d84c3e3a6d3e5793d0cb99c3b65a1c07985c3d821bfa5e092c4ef1b474988a9
-
SHA512
8b6fa3b58e1376a99555331a681fa237840d33e6c9ec54c5f1c21c0b37187f22a66ab80c0852f70e2888472cca7c219713c2f08561896c1d5a1dcc17c52748c3
-
SSDEEP
24576:hszqYiXwgjMMzsdH5yeknRHv+3zxZl9xbWNS/JlIVcV9rj/lq+ry:iqYosZyVWjF9lWNS/7IE9rj/lbG
Score1/10 -
-
-
Target
prom/me_elf.dll
-
Size
812KB
-
MD5
9a861199039507ef92b3ad2832cc9cec
-
SHA1
ade7859a7bfea123fe37e6049ff6292605efba86
-
SHA256
55fadde5e569cbe804abe26f4dfcb56595fc79e2bad91625df2309e5bd385266
-
SHA512
3c6cf96bb3ae4f49f57f594615192c678088b7c7cdec0e00ae85232c81f9461eca985118ca7d130854ba9fc0b917b176f94d90c5e3af6dce3b328f0ac5bf8aa2
-
SSDEEP
12288:UXxR37jWxg2Yb4zb9EF11sfWqEfROOtupHg1dsbDcgInQok7t6:UBxjW+lb4zZEFcwoOgpHOibDPVNZ6
Score1/10 -
-
-
Target
setup.exe
-
Size
727.0MB
-
MD5
3258cc800407c70ca78fbbadc5714ffc
-
SHA1
85610bc05a3efd39f93ef5a80c15d005ba2d3565
-
SHA256
5c9ec77a657f11d8600eec7c726c1cdf618f402aa9ed1f3fa6a8f1f3380d0b29
-
SHA512
393edf5151c42ecbce864e8fb5c1b7c3619f50f7924430cf51d5ecad0185ddf67ee10a1743a999a881b6ba2c771748c60cd9f992b7b3221aa4359edcbabc40dd
-
SSDEEP
196608:kVbnTakY/r9+hrUT3tcgZ8dSvosK1CPa:GakIR+h4T3tRosK1Sa
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Creates new service(s)
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Stops running service(s)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
3Windows Service
3Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Defense Evasion
Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
5Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2