Analysis
-
max time kernel
134s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 05:54
General
-
Target
Nursultan.exe
-
Size
1.4MB
-
MD5
04dd1f99162ef231ab0c9d28d181e9d2
-
SHA1
af9cb52510704981a6e3daeae61c617d711366ef
-
SHA256
c383f1a8383c27fda0910a6691aa4a7561d86094e3309df7d2ad787d8e601086
-
SHA512
701b7557e14384648fafdc58ae28f76abee5d1c9f567884c42371e722d699d923ac6df68d0a896207452a2eeea4fe65cbcd350f11a2ff519b51b776970565614
-
SSDEEP
24576:wBmXmo2G/nvxW3Ww0tBBlxD41ittL91eboEH2IgYAUUjZhI:wBi3bA30BBlxnioE5AW
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1245420777592062054/saI81XWOLJi1mJiEEt2FK-cyIKsq2Ayc-BlexWZ-2Fj0plrNSjRsNmF63M5uf5r_C7a0
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
resource yara_rule behavioral1/memory/1996-11-0x0000000000400000-0x0000000000572000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Nursultan.exe -
Executes dropped EXE 1 IoCs
pid Process 1968 Insidious.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 freegeoip.app 8 freegeoip.app -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1968 Insidious.exe 1968 Insidious.exe 1968 Insidious.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1968 Insidious.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1996 wrote to memory of 1968 1996 Nursultan.exe 83 PID 1996 wrote to memory of 1968 1996 Nursultan.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\Insidious.exe"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968
-
Network
-
Remote address:8.8.8.8:53Request241.150.49.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request216.131.50.23.in-addr.arpaIN PTRResponse216.131.50.23.in-addr.arpaIN PTRa23-50-131-216deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requestfreegeoip.appIN AResponsefreegeoip.appIN A172.67.160.84freegeoip.appIN A104.21.73.97
-
Remote address:172.67.160.84:443RequestGET /xml/ HTTP/1.1
Host: freegeoip.app
Connection: Keep-Alive
ResponseHTTP/1.1 301 Moved Permanently
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Thu, 30 May 2024 06:55:43 GMT
Location: https://ipbase.com/xml/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RsNPUcteJ32YCb1rMOFtal1ttNX%2FN32D1Qi73smzyygpgeEHerpwIT33nZXYQnTXcArTbGUUTI0kY%2FdOLs4CFfKB%2FXkO4aw13yqHF46TNrUcpcQIos4VAE9MLDz1ElhT"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 88bc7a12e84b93eb-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:8.8.8.8:53Requestipbase.comIN AResponseipbase.comIN A172.67.209.71ipbase.comIN A104.21.85.189
-
Remote address:172.67.209.71:443RequestGET /xml/ HTTP/1.1
Host: ipbase.com
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Age: 43572
Cache-Control: public,max-age=0,must-revalidate
Cache-Status: "Netlify Edge"; hit
Vary: Accept-Encoding
X-Nf-Request-Id: 01HZ41323HRS203CA5B079XK55
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PLuUkfv2TVahan2SLbUQYweF9%2Fh2qRf%2B0CbW8IAXo1pPQlfi%2BpgoaVD4%2FvV4YYUw%2B9FohSr%2BGCIhIkUyabytXSvlFyRvgLCii7PgTJWR%2FYAnTEGkZF3TECP4EQcE"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 88bc7a13ac446555-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:8.8.8.8:53Request84.160.67.172.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request71.209.67.172.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request138.32.126.40.in-addr.arpaIN PTRResponse
-
GEThttps://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90Remote address:23.62.61.129:443RequestGET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1107
date: Thu, 30 May 2024 05:55:45 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.7d3d3e17.1717048545.bd9f770
-
Remote address:8.8.8.8:53Request129.61.62.23.in-addr.arpaIN PTRResponse129.61.62.23.in-addr.arpaIN PTRa23-62-61-129deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request28.118.140.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request183.59.114.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request43.58.199.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request82.90.14.23.in-addr.arpaIN PTRResponse82.90.14.23.in-addr.arpaIN PTRa23-14-90-82deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEdual-a-0001.a-msedge.netdual-a-0001.a-msedge.netIN A204.79.197.200dual-a-0001.a-msedge.netIN A13.107.21.200
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239351692210_1AKNUXTAY2T0XUMCR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239351692210_1AKNUXTAY2T0XUMCR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 468637
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E52E03F557CD4BC4AAE49E313175A4A5 Ref B: LON04EDGE0615 Ref C: 2024-05-30T05:57:23Z
date: Thu, 30 May 2024 05:57:23 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239351692215_1UJ4FAL91XLA7HB15&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239351692215_1UJ4FAL91XLA7HB15&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 449656
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 1A460C910D4D43F3A46DA0A87AE62699 Ref B: LON04EDGE0615 Ref C: 2024-05-30T05:57:23Z
date: Thu, 30 May 2024 05:57:23 GMT
-
766 B 6.0kB 9 8
HTTP Request
GET https://freegeoip.app/xml/HTTP Response
301 -
852 B 9.3kB 11 13
HTTP Request
GET https://ipbase.com/xml/HTTP Response
404 -
23.62.61.129:443https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90tls, http21.5kB 6.3kB 17 11
HTTP Request
GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90HTTP Response
200 -
204.79.197.200:443https://tse1.mm.bing.net/th?id=OADD2.10239351692215_1UJ4FAL91XLA7HB15&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90tls, http234.4kB 957.9kB 706 704
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239351692210_1AKNUXTAY2T0XUMCR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239351692215_1UJ4FAL91XLA7HB15&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Response
200HTTP Response
200 -
1.2kB 8.1kB 16 14
-
72 B 158 B 1 1
DNS Request
241.150.49.20.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
216.131.50.23.in-addr.arpa
-
59 B 91 B 1 1
DNS Request
freegeoip.app
DNS Response
172.67.160.84104.21.73.97
-
56 B 88 B 1 1
DNS Request
ipbase.com
DNS Response
172.67.209.71104.21.85.189
-
72 B 134 B 1 1
DNS Request
84.160.67.172.in-addr.arpa
-
72 B 134 B 1 1
DNS Request
71.209.67.172.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
138.32.126.40.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
129.61.62.23.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
28.118.140.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
183.59.114.20.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
43.58.199.20.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
82.90.14.23.in-addr.arpa
-
62 B 173 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
204.79.197.20013.107.21.200
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
303KB
MD5bf315b4f45ed1773fcf9384a004df664
SHA1728d338d4889c1a92d4d5df7a8afb0bf2d4e73b1
SHA2568cd6840512dac2770f4960ed7e4291bbe6b655b5905f4bb751c9383ba827a822
SHA512f0b2cff9469f8935e0012ae68711d655c7d6d563f242da14565f153591f3d0d281c31123a99c913262915fb76cf3c2a027642bf43ff69b27289640c7e3339b6a