Overview
overview
10Static
static
102222-main/Build.exe
windows7-x64
102222-main/Build.exe
windows10-2004-x64
102222-main/...se.dll
windows7-x64
12222-main/...se.dll
windows10-2004-x64
2222-main/OTC.dll
windows7-x64
12222-main/OTC.dll
windows10-2004-x64
12222-main/OTC2.dll
windows7-x64
12222-main/OTC2.dll
windows10-2004-x64
12222-main/aurora.dll
windows7-x64
12222-main/aurora.dll
windows10-2004-x64
12222-main/...ty.dll
windows7-x64
32222-main/...ty.dll
windows10-2004-x64
32222-main/gan.exe
windows7-x64
62222-main/gan.exe
windows10-2004-x64
102222-main/mySThe.exe
windows7-x64
102222-main/mySThe.exe
windows10-2004-x64
102222-main/myporno.exe
windows7-x64
72222-main/myporno.exe
windows10-2004-x64
102222-main/pandora.dll
windows7-x64
32222-main/pandora.dll
windows10-2004-x64
32222-main/pass.exe
windows7-x64
102222-main/pass.exe
windows10-2004-x64
102222-main/petya.exe
windows7-x64
62222-main/petya.exe
windows10-2004-x64
62222-main/sheyhST.exe
windows7-x64
102222-main/sheyhST.exe
windows10-2004-x64
102222-main/...io.exe
windows7-x64
62222-main/...io.exe
windows10-2004-x64
72222-main/test.exe
windows7-x64
32222-main/test.exe
windows10-2004-x64
72222-main/token.exe
windows7-x64
62222-main/token.exe
windows10-2004-x64
6General
-
Target
c158eab31c5a8fd2da093fd5130f1ec8
-
Size
25.7MB
-
Sample
240311-xhp22abb5y
-
MD5
c158eab31c5a8fd2da093fd5130f1ec8
-
SHA1
b26bf14a694095e86cd63bf66049c37d87e6e0a4
-
SHA256
67e68d1933e87f680f063203e7e243c33deba2dfdbcd2bb08e9205d3fff26fb8
-
SHA512
abbfeaf563b6cdd45b45f51d29100f9c26f84f8505c5895b42d209ffb20abf8ff43cfa02938b46f732386724de0a7c0e7fd89bef0ed7adaebadb82cfd0f8bf52
-
SSDEEP
786432:IsgLJYkWSW5gzVVh3cwBJJe9Fcik92l8fNkgAy:IjASW5g7h3JJ+FcjbfWgAy
Behavioral task
behavioral1
Sample
2222-main/Build.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2222-main/Build.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
2222-main/NanoSense.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
2222-main/NanoSense.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
2222-main/OTC.dll
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
2222-main/OTC.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
2222-main/OTC2.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
2222-main/OTC2.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
2222-main/aurora.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
2222-main/aurora.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
2222-main/fatality.dll
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
2222-main/fatality.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
2222-main/gan.exe
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
2222-main/gan.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
2222-main/mySThe.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
2222-main/mySThe.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
2222-main/myporno.exe
Resource
win7-20231129-en
Behavioral task
behavioral18
Sample
2222-main/myporno.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
2222-main/pandora.dll
Resource
win7-20240215-en
Behavioral task
behavioral20
Sample
2222-main/pandora.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
2222-main/pass.exe
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
2222-main/pass.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
2222-main/petya.exe
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
2222-main/petya.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
2222-main/sheyhST.exe
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
2222-main/sheyhST.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
2222-main/stpastio.exe
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
2222-main/stpastio.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
2222-main/test.exe
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
2222-main/test.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
2222-main/token.exe
Resource
win7-20231129-en
Behavioral task
behavioral32
Sample
2222-main/token.exe
Resource
win10v2004-20240226-en
Malware Config
Targets
-
-
Target
2222-main/Build.exe
-
Size
1.8MB
-
MD5
9886d20dd6f3d896861cc5f8ea0ca84b
-
SHA1
96ab3affa0279d5795a29f3e1ecae37546b8bb11
-
SHA256
56ec9503792bc40353a2f197bb3a6561325d66dfe914573a9fea9ccdedd98929
-
SHA512
02272f3a85b44fa8e6806356492109474c57c2d7da7f55cba4d93e4983162ed48582a73723d06689c9e89e87ba6ed8c30e409676669af0d8604d23288cfe8079
-
SSDEEP
49152:UbA30gth6l+eGtUvcx+GXJsVXu6jFKpveKB:Ubkth6l8x+GX4erpvzB
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
-
-
Target
2222-main/NanoSense.dll
-
Size
1.8MB
-
MD5
1253946cb5c0a21446422815d328603c
-
SHA1
39c598d2f8152642d99138bb00b14c1cee7dd862
-
SHA256
e9447d000a28bcbca3a142e37ad6f1c479d2941e2dcac9c7f389199b3bb644c7
-
SHA512
cf33ab47a69fe6a3dc793233f26a3cc5a2d3f5706b3fa0daf63b2832437f0b670fe321adffd36473310ad7146ca7527f7b7b4b69000c645dc809a1d44811375c
-
SSDEEP
49152:lhp4kqKXXjXmUhhC3rTNNI5J55HBlEABIS:lafNNI5vw
Score1/10 -
-
-
Target
2222-main/OTC.dll
-
Size
8.7MB
-
MD5
cbac1eb2d0f808c9a1ace63379888580
-
SHA1
f502e21059146f8fffba5cd84f5dccd5c8b22677
-
SHA256
8afbfe7db1165a9c6be977be0d2455d9287ebd9c64688ac0bbcc3e1a9872cff3
-
SHA512
1d1e3bff24d61b58f9e81d037f6b1a58101bb4c12a6550da0d61486f34978a5744535033e4100ba929e49fe970f92c7c30a385f7398ab30a2e21873b3aa6f715
-
SSDEEP
196608:touw26TL/vezmj/wvs/9sL1jcOytIsjTIImELIjHBAHH8Vz1pQVN:aL/amIvbR8y08ImELWA8Vzg
Score1/10 -
-
-
Target
2222-main/OTC2.dll
-
Size
3.0MB
-
MD5
0c10a107fc8686a7e74c4aa1f21c70da
-
SHA1
ce1fa117d53e87b3b4bdaaf828f3c2eba5bb10b7
-
SHA256
a2a7ec38150a186831d5d967b4b8321356d30e190eaf0c17d13033aa244fe93e
-
SHA512
de3cf3b0e26c6feb6177e9f197f73c015b4b8d744aa1bec75eb295c1feaeaa2f02493dc61ccc12e8e54b0c29f43fbab1a4d19ee5b3b47223e6d05e897fc584f2
-
SSDEEP
49152:mKWDDGuqiucb2sdcdk3YZ/8/RRLMSaYzRoRNUvoOFMHYs1j230xrT9Ezqq:Euuqiucb2sadHZ/8/PYYzR8NUvoOFMF
Score1/10 -
-
-
Target
2222-main/aurora.dll
-
Size
9.8MB
-
MD5
615ba7d6883c4b07c7714c35e5aaf83e
-
SHA1
92f5386d468af168d6a19bd00254523257c6374e
-
SHA256
c7f7e979cad914ff9cae4e36219bda55b0545aa77dd4cd6fa1c5b72a75c1a5a6
-
SHA512
14a69c1ee5518a3976c7ca19623b53100f6bd28ea582af53b5421ecb6f7283f34a547376e8f7f03ce7a101cbc848f3a4f1911e2a9b65665264a8a6e0cc76c3da
-
SSDEEP
196608:MrQz2nEo+G4nzaNmLTjZQe9rJZ31TPsK07oSx:M0anEorymNmL3pVZ31QKM
Score1/10 -
-
-
Target
2222-main/fatality.dll
-
Size
3.0MB
-
MD5
86043572df1eb246ac76a227f6714bde
-
SHA1
bead769ded4445addd232d8432215ba64d2a7996
-
SHA256
6640724ab609a8d4d1cc3963cb9e9d271a54cb1e387b178b7596ea57ce5e6614
-
SHA512
3f76ba50c014ebb243071a30c1038267118d18cd502e7f71e264447953be72109b1b1819ace5ba4c781eb8068befa783e62152d8936c8df0e37e58d9a576cd28
-
SSDEEP
49152:5YDtm94fh932FUi/E/xuCWaPFkp87D0C2L06:5YDVfhYFUv/lUCw
Score3/10 -
-
-
Target
2222-main/gan.exe
-
Size
1.0MB
-
MD5
87eaf345538203eec98ef5eb3f5fb4e2
-
SHA1
3c32b64679c2e85b9b843ed7a3a38094b5719ba4
-
SHA256
07e3cf6d608401dd2b8cc367deea6c4d9ea110056d3f32bfd87e1f8555083cf1
-
SHA512
553ce491a393f32ba67a8c1871fddc840bd3fc2569f57af5ae20a9ee40961e7c435cf91cdfe93574777932d08abd5380b6dfdb607aee080542cb40f157419c9d
-
SSDEEP
24576:0fQYNBhhUF54clNf7+6uHAW92zt/sWu2BSMCqDoR12Q:Uo54clgLH+tkWJ0N5
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
2222-main/mySThe.exe
-
Size
1.0MB
-
MD5
6d298ea9fddcb15bc12be3699b88724e
-
SHA1
946732233c9490060639a44ea593f2ccd6ddc30b
-
SHA256
74499fe96913a5ec1b89d8b79ca8bf2d3fd598c0d65339bd6d6223599f20aa7b
-
SHA512
40e40caaf22651eb749694b1827f1902c89935bb5f40baf7ec3c68bfd277b68bd76c3a7c54cfa4ce7959b7067b6fb00ec1513f57e330df7790a95e7ed6ebc8ed
-
SSDEEP
24576:PjE5gAVhhUF54clNf7+6uHAW92zt/sWu2BSMCqDoR4E:yo54clgLH+tkWJ0Nj
-
Detects Echelon Stealer payload
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
2222-main/myporno.exe
-
Size
871KB
-
MD5
a5e7145dc17d160b41d36dbea524c3f0
-
SHA1
2ad6faea0f967df37e404d14a4c1ccca607a924e
-
SHA256
99dfe0c0529b4122889ac7023330f2749df048d0b11a91e92155d991e189f0d8
-
SHA512
672a08a7e62b1129cc2997dd77e1709e86281d89d6ab88d12e771120b7a7a15638b9e2e110d3f95cf04e319da31dedbac4727d8b67e2a2343c68d280967d83c9
-
SSDEEP
24576:GR1wvcupUr/Tbp0g7kpRmxC98+/WQ8mkU:AfupUzTbmzpRtWzmL
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
2222-main/pandora.dll
-
Size
8.6MB
-
MD5
f98204a914adb09119b97a90d7be8f8d
-
SHA1
eb6652f4dd2c5c61465e0e39bd729d0aa253e7a4
-
SHA256
74743cbc394143af17482b8be8ea93230fc5bb11a6f3f4530121b9d885726c94
-
SHA512
30145a0a02c339b4ef289219fe075d2945acfa1250aaec02000abea3c1dfbc4faec9e1f33fdf93efb780b6dc4dede4204db48cdcf9272121083ee46f6880f816
-
SSDEEP
196608:B9dJRtGQJ+1ZUQ0a+DIva0Go76y3h54T:BTtGQUAvaJvVV7p3h5W
Score3/10 -
-
-
Target
2222-main/pass.exe
-
Size
863KB
-
MD5
a27ba5e68cdd7333b8cd5e4ebd558019
-
SHA1
c4e6d99f3979003424ad4cc511a36434944c02b0
-
SHA256
e42ba94ba2b856fdb7aa01b9dee11abd71c55b6fc15e1933a77269deedb57e88
-
SHA512
2edfb1bae88e3088da81fbcf382fa7955998562817eb9f25bfaef6d82cbeb064c93764d1f9f127ad667543854109da6df84938cbb8d9b62eabf3a00ee5699ff1
-
SSDEEP
12288:XZaaNwVY4K/EX7xzHMPq/2KAIoE2F27HFqkPNXyDxR8AVNHp+0ng13k/u:Ja3VDHtsz5hoHM4KxR8Mg
-
Detects Echelon Stealer payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
2222-main/petya.exe
-
Size
225KB
-
MD5
af2379cc4d607a45ac44d62135fb7015
-
SHA1
39b6d40906c7f7f080e6befa93324dddadcbd9fa
-
SHA256
26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739
-
SHA512
69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99
-
SSDEEP
6144:DCyjXhd1mialK+qoNr8PxtZE6x5v+k6f:rjXhd8ZlKOrMZE6x5b6f
Score6/10-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
-
-
Target
2222-main/sheyhST.exe
-
Size
1.0MB
-
MD5
a339a377abbfb9c0ee85652901cc67b3
-
SHA1
cbafbcefd502b16d4661a2da17fc6d04b34ee0cb
-
SHA256
0a0a341eb3849788273e62d2acd28de82942f01396c7543f85a5b8a8420e0c44
-
SHA512
a43ae5d6cf03c96ae757bdb97521562c64e7248d73791ecfae1498df4e9b7401d359bba5e56a3ba2c16cc0e6f30cfc6b9c421667353cb4677b98977c0082282d
-
SSDEEP
24576:JjE5gAVhhUF54clNf7+6uHAW92zt/sWu2BSMCqDoR4E:go54clgLH+tkWJ0Nj
-
Detects Echelon Stealer payload
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
2222-main/stpastio.exe
-
Size
1.0MB
-
MD5
76240af1d6ebffbf210af7d95b59b97e
-
SHA1
8f029dfb9a98bd1c34335010c97780ac3f602d61
-
SHA256
18f6c675acef58163ad7322fbbaf75ac8d92c50e3f4e2dd02f26bbc4a93f4262
-
SHA512
71f2a9bb9a3ba9b0123fa302c6a96f9ff5b58be7804d1a84c170c4b69173428ddbc6807e91e034b23f83db9b51dfb8c6c7ae439fb822b7887927e5c84c007687
-
SSDEEP
24576:jfQYNBhhUF54clNf7+6uHAW92zt/sWu2BSMCqDoR12Q:Po54clgLH+tkWJ0N5
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
2222-main/test.exe
-
Size
50KB
-
MD5
934b148407a5f93bbeed3d5b2c91edde
-
SHA1
208fa687dea4cae2bd7a15907834ce107aea2683
-
SHA256
00a6aee5810a2f37be3722b8c05c363e9954e782f49e558f451c4097bbd6f217
-
SHA512
4cd3d836a122a19888f4be5541c158aa8add24b6276d8d9ee3a120ea2d3cc9ceb72c284ae41d3fa8d30b6c4bbfd18fe97ef451293222b9b9c23d125d3a882c2c
-
SSDEEP
768:nCru/f9Iw/E6zy4n8uZ5tUXMJ+fROUmELY2glEbM3j+rd+fpRiTWUOh:D1Tzy48untU8fOMEI3jyYfPifOh
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
2222-main/token.exe
-
Size
7KB
-
MD5
a35189bbe526f95125f313585a23c091
-
SHA1
571507b33c3bb4641562e86f66fab4068a807067
-
SHA256
97ffdd15bd339158c3569a1183d8d42250932c262a570bf230db6e741b5eb815
-
SHA512
b233916b3c56bf62098cda4a82f3e234ce9dbe20d60d055d6743464d0d75ab4890006327ea45c8f38f08284616f01f373ebe2a260b75cc1d0a74e2dae42169c5
-
SSDEEP
96:qGhDBU9ZsETvsxblLSP8+Uqngf02CyZcFKfgfdlfBzNt:qGcoET1P8+UqVwfgFlfD
Score6/10-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1