General

  • Target

    c158eab31c5a8fd2da093fd5130f1ec8

  • Size

    25.7MB

  • Sample

    240311-xhp22abb5y

  • MD5

    c158eab31c5a8fd2da093fd5130f1ec8

  • SHA1

    b26bf14a694095e86cd63bf66049c37d87e6e0a4

  • SHA256

    67e68d1933e87f680f063203e7e243c33deba2dfdbcd2bb08e9205d3fff26fb8

  • SHA512

    abbfeaf563b6cdd45b45f51d29100f9c26f84f8505c5895b42d209ffb20abf8ff43cfa02938b46f732386724de0a7c0e7fd89bef0ed7adaebadb82cfd0f8bf52

  • SSDEEP

    786432:IsgLJYkWSW5gzVVh3cwBJJe9Fcik92l8fNkgAy:IjASW5g7h3JJ+FcjbfWgAy

Malware Config

Targets

    • Target

      2222-main/Build.exe

    • Size

      1.8MB

    • MD5

      9886d20dd6f3d896861cc5f8ea0ca84b

    • SHA1

      96ab3affa0279d5795a29f3e1ecae37546b8bb11

    • SHA256

      56ec9503792bc40353a2f197bb3a6561325d66dfe914573a9fea9ccdedd98929

    • SHA512

      02272f3a85b44fa8e6806356492109474c57c2d7da7f55cba4d93e4983162ed48582a73723d06689c9e89e87ba6ed8c30e409676669af0d8604d23288cfe8079

    • SSDEEP

      49152:UbA30gth6l+eGtUvcx+GXJsVXu6jFKpveKB:Ubkth6l8x+GX4erpvzB

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • Target

      2222-main/NanoSense.dll

    • Size

      1.8MB

    • MD5

      1253946cb5c0a21446422815d328603c

    • SHA1

      39c598d2f8152642d99138bb00b14c1cee7dd862

    • SHA256

      e9447d000a28bcbca3a142e37ad6f1c479d2941e2dcac9c7f389199b3bb644c7

    • SHA512

      cf33ab47a69fe6a3dc793233f26a3cc5a2d3f5706b3fa0daf63b2832437f0b670fe321adffd36473310ad7146ca7527f7b7b4b69000c645dc809a1d44811375c

    • SSDEEP

      49152:lhp4kqKXXjXmUhhC3rTNNI5J55HBlEABIS:lafNNI5vw

    Score
    1/10
    • Target

      2222-main/OTC.dll

    • Size

      8.7MB

    • MD5

      cbac1eb2d0f808c9a1ace63379888580

    • SHA1

      f502e21059146f8fffba5cd84f5dccd5c8b22677

    • SHA256

      8afbfe7db1165a9c6be977be0d2455d9287ebd9c64688ac0bbcc3e1a9872cff3

    • SHA512

      1d1e3bff24d61b58f9e81d037f6b1a58101bb4c12a6550da0d61486f34978a5744535033e4100ba929e49fe970f92c7c30a385f7398ab30a2e21873b3aa6f715

    • SSDEEP

      196608:touw26TL/vezmj/wvs/9sL1jcOytIsjTIImELIjHBAHH8Vz1pQVN:aL/amIvbR8y08ImELWA8Vzg

    Score
    1/10
    • Target

      2222-main/OTC2.dll

    • Size

      3.0MB

    • MD5

      0c10a107fc8686a7e74c4aa1f21c70da

    • SHA1

      ce1fa117d53e87b3b4bdaaf828f3c2eba5bb10b7

    • SHA256

      a2a7ec38150a186831d5d967b4b8321356d30e190eaf0c17d13033aa244fe93e

    • SHA512

      de3cf3b0e26c6feb6177e9f197f73c015b4b8d744aa1bec75eb295c1feaeaa2f02493dc61ccc12e8e54b0c29f43fbab1a4d19ee5b3b47223e6d05e897fc584f2

    • SSDEEP

      49152:mKWDDGuqiucb2sdcdk3YZ/8/RRLMSaYzRoRNUvoOFMHYs1j230xrT9Ezqq:Euuqiucb2sadHZ/8/PYYzR8NUvoOFMF

    Score
    1/10
    • Target

      2222-main/aurora.dll

    • Size

      9.8MB

    • MD5

      615ba7d6883c4b07c7714c35e5aaf83e

    • SHA1

      92f5386d468af168d6a19bd00254523257c6374e

    • SHA256

      c7f7e979cad914ff9cae4e36219bda55b0545aa77dd4cd6fa1c5b72a75c1a5a6

    • SHA512

      14a69c1ee5518a3976c7ca19623b53100f6bd28ea582af53b5421ecb6f7283f34a547376e8f7f03ce7a101cbc848f3a4f1911e2a9b65665264a8a6e0cc76c3da

    • SSDEEP

      196608:MrQz2nEo+G4nzaNmLTjZQe9rJZ31TPsK07oSx:M0anEorymNmL3pVZ31QKM

    Score
    1/10
    • Target

      2222-main/fatality.dll

    • Size

      3.0MB

    • MD5

      86043572df1eb246ac76a227f6714bde

    • SHA1

      bead769ded4445addd232d8432215ba64d2a7996

    • SHA256

      6640724ab609a8d4d1cc3963cb9e9d271a54cb1e387b178b7596ea57ce5e6614

    • SHA512

      3f76ba50c014ebb243071a30c1038267118d18cd502e7f71e264447953be72109b1b1819ace5ba4c781eb8068befa783e62152d8936c8df0e37e58d9a576cd28

    • SSDEEP

      49152:5YDtm94fh932FUi/E/xuCWaPFkp87D0C2L06:5YDVfhYFUv/lUCw

    Score
    3/10
    • Target

      2222-main/gan.exe

    • Size

      1.0MB

    • MD5

      87eaf345538203eec98ef5eb3f5fb4e2

    • SHA1

      3c32b64679c2e85b9b843ed7a3a38094b5719ba4

    • SHA256

      07e3cf6d608401dd2b8cc367deea6c4d9ea110056d3f32bfd87e1f8555083cf1

    • SHA512

      553ce491a393f32ba67a8c1871fddc840bd3fc2569f57af5ae20a9ee40961e7c435cf91cdfe93574777932d08abd5380b6dfdb607aee080542cb40f157419c9d

    • SSDEEP

      24576:0fQYNBhhUF54clNf7+6uHAW92zt/sWu2BSMCqDoR12Q:Uo54clgLH+tkWJ0N5

    Score
    10/10
    • Echelon

      Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      2222-main/mySThe.exe

    • Size

      1.0MB

    • MD5

      6d298ea9fddcb15bc12be3699b88724e

    • SHA1

      946732233c9490060639a44ea593f2ccd6ddc30b

    • SHA256

      74499fe96913a5ec1b89d8b79ca8bf2d3fd598c0d65339bd6d6223599f20aa7b

    • SHA512

      40e40caaf22651eb749694b1827f1902c89935bb5f40baf7ec3c68bfd277b68bd76c3a7c54cfa4ce7959b7067b6fb00ec1513f57e330df7790a95e7ed6ebc8ed

    • SSDEEP

      24576:PjE5gAVhhUF54clNf7+6uHAW92zt/sWu2BSMCqDoR4E:yo54clgLH+tkWJ0Nj

    Score
    10/10
    • Detects Echelon Stealer payload

    • Echelon

      Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      2222-main/myporno.exe

    • Size

      871KB

    • MD5

      a5e7145dc17d160b41d36dbea524c3f0

    • SHA1

      2ad6faea0f967df37e404d14a4c1ccca607a924e

    • SHA256

      99dfe0c0529b4122889ac7023330f2749df048d0b11a91e92155d991e189f0d8

    • SHA512

      672a08a7e62b1129cc2997dd77e1709e86281d89d6ab88d12e771120b7a7a15638b9e2e110d3f95cf04e319da31dedbac4727d8b67e2a2343c68d280967d83c9

    • SSDEEP

      24576:GR1wvcupUr/Tbp0g7kpRmxC98+/WQ8mkU:AfupUzTbmzpRtWzmL

    Score
    10/10
    • Echelon

      Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      2222-main/pandora.dll

    • Size

      8.6MB

    • MD5

      f98204a914adb09119b97a90d7be8f8d

    • SHA1

      eb6652f4dd2c5c61465e0e39bd729d0aa253e7a4

    • SHA256

      74743cbc394143af17482b8be8ea93230fc5bb11a6f3f4530121b9d885726c94

    • SHA512

      30145a0a02c339b4ef289219fe075d2945acfa1250aaec02000abea3c1dfbc4faec9e1f33fdf93efb780b6dc4dede4204db48cdcf9272121083ee46f6880f816

    • SSDEEP

      196608:B9dJRtGQJ+1ZUQ0a+DIva0Go76y3h54T:BTtGQUAvaJvVV7p3h5W

    Score
    3/10
    • Target

      2222-main/pass.exe

    • Size

      863KB

    • MD5

      a27ba5e68cdd7333b8cd5e4ebd558019

    • SHA1

      c4e6d99f3979003424ad4cc511a36434944c02b0

    • SHA256

      e42ba94ba2b856fdb7aa01b9dee11abd71c55b6fc15e1933a77269deedb57e88

    • SHA512

      2edfb1bae88e3088da81fbcf382fa7955998562817eb9f25bfaef6d82cbeb064c93764d1f9f127ad667543854109da6df84938cbb8d9b62eabf3a00ee5699ff1

    • SSDEEP

      12288:XZaaNwVY4K/EX7xzHMPq/2KAIoE2F27HFqkPNXyDxR8AVNHp+0ng13k/u:Ja3VDHtsz5hoHM4KxR8Mg

    Score
    10/10
    • Detects Echelon Stealer payload

    • Echelon

      Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      2222-main/petya.exe

    • Size

      225KB

    • MD5

      af2379cc4d607a45ac44d62135fb7015

    • SHA1

      39b6d40906c7f7f080e6befa93324dddadcbd9fa

    • SHA256

      26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739

    • SHA512

      69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99

    • SSDEEP

      6144:DCyjXhd1mialK+qoNr8PxtZE6x5v+k6f:rjXhd8ZlKOrMZE6x5b6f

    Score
    6/10
    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Target

      2222-main/sheyhST.exe

    • Size

      1.0MB

    • MD5

      a339a377abbfb9c0ee85652901cc67b3

    • SHA1

      cbafbcefd502b16d4661a2da17fc6d04b34ee0cb

    • SHA256

      0a0a341eb3849788273e62d2acd28de82942f01396c7543f85a5b8a8420e0c44

    • SHA512

      a43ae5d6cf03c96ae757bdb97521562c64e7248d73791ecfae1498df4e9b7401d359bba5e56a3ba2c16cc0e6f30cfc6b9c421667353cb4677b98977c0082282d

    • SSDEEP

      24576:JjE5gAVhhUF54clNf7+6uHAW92zt/sWu2BSMCqDoR4E:go54clgLH+tkWJ0Nj

    Score
    10/10
    • Detects Echelon Stealer payload

    • Echelon

      Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      2222-main/stpastio.exe

    • Size

      1.0MB

    • MD5

      76240af1d6ebffbf210af7d95b59b97e

    • SHA1

      8f029dfb9a98bd1c34335010c97780ac3f602d61

    • SHA256

      18f6c675acef58163ad7322fbbaf75ac8d92c50e3f4e2dd02f26bbc4a93f4262

    • SHA512

      71f2a9bb9a3ba9b0123fa302c6a96f9ff5b58be7804d1a84c170c4b69173428ddbc6807e91e034b23f83db9b51dfb8c6c7ae439fb822b7887927e5c84c007687

    • SSDEEP

      24576:jfQYNBhhUF54clNf7+6uHAW92zt/sWu2BSMCqDoR12Q:Po54clgLH+tkWJ0N5

    Score
    7/10
    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      2222-main/test.exe

    • Size

      50KB

    • MD5

      934b148407a5f93bbeed3d5b2c91edde

    • SHA1

      208fa687dea4cae2bd7a15907834ce107aea2683

    • SHA256

      00a6aee5810a2f37be3722b8c05c363e9954e782f49e558f451c4097bbd6f217

    • SHA512

      4cd3d836a122a19888f4be5541c158aa8add24b6276d8d9ee3a120ea2d3cc9ceb72c284ae41d3fa8d30b6c4bbfd18fe97ef451293222b9b9c23d125d3a882c2c

    • SSDEEP

      768:nCru/f9Iw/E6zy4n8uZ5tUXMJ+fROUmELY2glEbM3j+rd+fpRiTWUOh:D1Tzy48untU8fOMEI3jyYfPifOh

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      2222-main/token.exe

    • Size

      7KB

    • MD5

      a35189bbe526f95125f313585a23c091

    • SHA1

      571507b33c3bb4641562e86f66fab4068a807067

    • SHA256

      97ffdd15bd339158c3569a1183d8d42250932c262a570bf230db6e741b5eb815

    • SHA512

      b233916b3c56bf62098cda4a82f3e234ce9dbe20d60d055d6743464d0d75ab4890006327ea45c8f38f08284616f01f373ebe2a260b75cc1d0a74e2dae42169c5

    • SSDEEP

      96:qGhDBU9ZsETvsxblLSP8+Uqngf02CyZcFKfgfdlfBzNt:qGcoET1P8+UqVwfgFlfD

    Score
    6/10
    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks

static1

ratdcratechelon
Score
10/10

behavioral1

dcratinfostealerpersistencerat
Score
10/10

behavioral2

dcratinfostealerpersistencerat
Score
10/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

Score
3/10

behavioral12

Score
3/10

behavioral13

Score
6/10

behavioral14

echelonspywarestealer
Score
10/10

behavioral15

echelonspywarestealer
Score
10/10

behavioral16

echelonspywarestealer
Score
10/10

behavioral17

Score
7/10

behavioral18

echelonspywarestealer
Score
10/10

behavioral19

Score
3/10

behavioral20

Score
3/10

behavioral21

echelonspywarestealer
Score
10/10

behavioral22

echelonspywarestealer
Score
10/10

behavioral23

bootkitpersistence
Score
6/10

behavioral24

bootkitpersistence
Score
6/10

behavioral25

echelonspywarestealer
Score
10/10

behavioral26

echelonspywarestealer
Score
10/10

behavioral27

Score
6/10

behavioral28

spywarestealer
Score
7/10

behavioral29

Score
3/10

behavioral30

Score
7/10

behavioral31

Score
6/10

behavioral32

Score
6/10