dcrat

General

Target

18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97
Size

390KB
Sample

240508-2grlpade42
MD5

18b50c6016cd5d7ff2f01b71a5e3373b
SHA1

d62dc0a84e39a1fff24163153761c62a55ff30fe
SHA256

18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97
SHA512

27e0017fa30a9322e71191b2c4954d1f55d8fe827f029092fa3bdd6a52e799bbb671a776c3596a1df02d8ebe660b2192f293cb67252ec289bbc99a8725ceaa19
SSDEEP

6144:LlEGEyWKpTlDB878Ed8nFO+tFXFBCorNVDq5GZJrtLK7BYY0g2wqS5e8x:KGEyWERrpdTjZDqeh2Beg28Tx

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.150

Attributes

url_path
/c698e1bc8a2f5e6d.php

Extracted

Family

smokeloader

Botnet

pub2

Extracted

Family

smokeloader

Version

2022

C2

http://cellc.org/tmp/index.php

http://h-c-v.ru/tmp/index.php

http://icebrasilpr.com/tmp/index.php

http://piratia-life.ru/tmp/index.php

http://piratia.su/tmp/index.php

rc4.i32

Targets

- Target
  
  18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97
- Size
  
  390KB
- MD5
  
  18b50c6016cd5d7ff2f01b71a5e3373b
- SHA1
  
  d62dc0a84e39a1fff24163153761c62a55ff30fe
- SHA256
  
  18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97
- SHA512
  
  27e0017fa30a9322e71191b2c4954d1f55d8fe827f029092fa3bdd6a52e799bbb671a776c3596a1df02d8ebe660b2192f293cb67252ec289bbc99a8725ceaa19
- SSDEEP
  
  6144:LlEGEyWKpTlDB878Ed8nFO+tFXFBCorNVDq5GZJrtLK7BYY0g2wqS5e8x:KGEyWERrpdTjZDqeh2Beg28Tx
Score

10^/10

dcrat glupteba smokeloader stealc zgrat pub2 backdoor discovery dropper evasion execution infostealer loader persistence ransomware rat rootkit stealer trojan upx
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Detect ZGRat V1
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Suspicious use of NtCreateUserProcessOtherParentProcess
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Drops file in Drivers directory
- Modifies Windows Firewall
  evasion
- Possible attempt to disable PatchGuard
  Rootkits can use kernel patching to embed themselves in an operating system.
  evasion
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Manipulates WinMon driver.
  Roottkits write to WinMon to hide PIDs from being detected.
  rootkit evasion
- Manipulates WinMonFS driver.
  Roottkits write to WinMonFS to hide directories/files from being detected.
  rootkit evasion
- Suspicious use of SetThreadContext
behavioral1 behavioral2