dcrat | 66118f9e36f34b03dd9e57de222e2572d488761866351c66ada09b455e017681 | Triage

Sharing

General

Target

ba9bf75396aa0b37ebe542ff50745e18cd648bb996480160f4aebe4f262d17d5.zip
Size

1.4MB
Sample

240402-mbhz2aef4w
MD5

c5a7656b939dc3c69cbbf31405f81d1b
SHA1

51c5852aec3eed93ddd65c49ecc1892409fe3982
SHA256

66118f9e36f34b03dd9e57de222e2572d488761866351c66ada09b455e017681
SHA512

7f50544bf06887f6a1216509ff4ccf997feb2de556e026892c86ecfc12b93c4c23e89054776a80214971b01fe65d6b52ecac822336f18fc8f793b08b945e802a
SSDEEP

24576:vnNvhb1AOKhVG2xM9YqCCM4yBN3EYeCVveOEIYf2mlJPudMA03TgTWHXvh2h:v/CThVG2kYJdNsCVWfjjG7iJ+

Score

10^/10

dcrat mystic redline smokeloader grome backdoor evasion infostealer persistence rat stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32

rc4.i32

Extracted

Family

redline

Botnet

grome

C2

77.91.124.86:19084

Targets

- Target
  
  ba9bf75396aa0b37ebe542ff50745e18cd648bb996480160f4aebe4f262d17d5.exe
- Size
  
  1.4MB
- MD5
  
  0bc27a2491501ac1f8d8010d8af1071a
- SHA1
  
  0e8cc9986c76a986593044e44c2489d675518295
- SHA256
  
  ba9bf75396aa0b37ebe542ff50745e18cd648bb996480160f4aebe4f262d17d5
- SHA512
  
  e97d2d29eb673ef93db84ec41429917830d4d16d4fef919c3258daac1365b2e7ab75fefa2100ee9586a55cb70f0f85e72e6fe07211b45932d04db1761d3efc7d
- SSDEEP
  
  24576:5ye7KjbVGqBXh1pu9+rCDFZTSOO58v2yODPbNbOlcSGO6EC3gf/7qYP2mChCu4hP:szZh+am9eyWPhmtDC3eFP2quI
Score

10^/10

dcrat mystic redline smokeloader grome backdoor evasion infostealer persistence rat stealer trojan
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Detect Mystic stealer payload
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

dcratmysticredlinesmokeloadergromebackdoorevasioninfostealerpersistenceratstealertrojan