dcrat

General

Target

583d73f0111e0aeed0a34fa4fc4ba85875a11f88ac93f9bacb59359aaf5b94e2
Size

294KB
Sample

240328-2eejcaba68
MD5

5700c54d51e14d0ce00bbbb6015baed2
SHA1

71eb9361a9d6b35317fc8a385b748a8a6ce3bee7
SHA256

583d73f0111e0aeed0a34fa4fc4ba85875a11f88ac93f9bacb59359aaf5b94e2
SHA512

9dddd66cf82aead6400a19e81ccd0ebc0f5e312bc5772937e1929820a1db0fb74cf1480ef3bb9e9c70aefa25ce02c8c7d9f1a17bff6eb2137d76247a61eb2b9d
SSDEEP

3072:QnAsasNY7mVLSD+i+XiXwc+ODB9mwsozColOZ8Y08rebNLC4NDBwo5XxrY:EAESDRfRN9lt5lOaYqbRntwAXx

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

5.42.65.0:29587

Extracted

Family

lumma

C2

https://resergvearyinitiani.shop/api

https://affordcharmcropwo.shop/api

Targets

- Target
  
  583d73f0111e0aeed0a34fa4fc4ba85875a11f88ac93f9bacb59359aaf5b94e2
- Size
  
  294KB
- MD5
  
  5700c54d51e14d0ce00bbbb6015baed2
- SHA1
  
  71eb9361a9d6b35317fc8a385b748a8a6ce3bee7
- SHA256
  
  583d73f0111e0aeed0a34fa4fc4ba85875a11f88ac93f9bacb59359aaf5b94e2
- SHA512
  
  9dddd66cf82aead6400a19e81ccd0ebc0f5e312bc5772937e1929820a1db0fb74cf1480ef3bb9e9c70aefa25ce02c8c7d9f1a17bff6eb2137d76247a61eb2b9d
- SSDEEP
  
  3072:QnAsasNY7mVLSD+i+XiXwc+ODB9mwsozColOZ8Y08rebNLC4NDBwo5XxrY:EAESDRfRN9lt5lOaYqbRntwAXx
Score

10^/10

dcrat glupteba smokeloader pub1 backdoor discovery dropper evasion infostealer loader persistence rat trojan lumma redline logsdiller cloud (tg: @logsdillabot)rootkit spyware stealer upx
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Windows security bypass
  evasion trojan
- Downloads MZ/PE file
- Modifies Installed Components in the registry
  persistence
- Modifies Windows Firewall
  evasion
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Windows security modification
  evasion trojan
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Manipulates WinMonFS driver.
  Roottkits write to WinMonFS to hide directories/files from being detected.
  rootkit evasion
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2