Overview

overview

10

Static

static

10

Youtube.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SolaraBootsrapper.rar

  • Size

    6.1MB

  • Sample

    240717-qa9m5sveke

  • MD5

    706df4069dacbd0cd0d80c5319431eec

  • SHA1

    e582f777cc585cdbc45c1eeafcef2307727c1f17

  • SHA256

    53d6112deaab099a9da782ba5fe8ccf729b2b1328bb0a62afdc9f09f9cd427c6

  • SHA512

    e74da6eff06a8627dec2fc0f5619cbfe55d4244167679951c905367f8625f5da7638d29b34cdc7d524d02d5f8b6d1acdda407eb679638d75a87d6abea2ad4f78

  • SSDEEP

    196608:76l2VFjUSLzLnFdH1ysmVYEaqr7xzFPST7x91G/5rF:7RUSLzDFdHAJV/RHtN0x9WF

Score
10/10
dcratgurcuxmrigdiscoveryevasionexecutioninfostealerminerpersistenceratspywarestealerthemidatrojan

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7121631902:AAErn17xNWrdiucOEwhQIj8v6o5tvdffJT4/sendPhoto?chat_id=7391062786&caption=%E2%9D%95%20User%20connected%20%E2%9D%95%0A%E2%80%A2%20ID%3A%20518e2696ef60230f00896d7af20e1c69534f79da%0A%E2%80%A2%20Comment%3A%20br0ken%0A%0A%E2%80%A2%20User%20Name%3A%20Admin%0A%E2%80%A2%20PC%20Name%3A%20IMKBEUOX%0A%E2%80%A2%20OS%20Info%3A%20Windows%2010%20Pro%0A%0A%E2%80%A2%20IP%3A%20194.110.13.70%0A%E2%80%A2%20GEO%3A%20GB%20%2F%20London%0A%0A%E2%80%A2%20Working%20Directory%3A%20C%3A%5CUsers%5CAll%20Users%5CStart%20Menu%5CbackgroundTaskHost.ex

Targets

    • Target

      Youtube.exe

    • Size

      8.7MB

    • MD5

      d25ebdfc04bdadea74017fa72f90781f

    • SHA1

      f7278c4d04fc4db888368e0245d7607d8bcbb557

    • SHA256

      9f30de67eacb0138506eff3c67dc9c52b0e923416dc75722ac90b12210b5383f

    • SHA512

      77cca4e741a6f96cc35a3ce55c3f899f902719c8ee29c84a6f5dcb57e9d6b8f85cad2042486ff907046f3c87673f5a34da73730256822d090ae764ba21064e71

    • SSDEEP

      196608:fE7JB0tYrXLW+d7UcIxptvyUQymRDSI1WCOK5m:fE9B0OjrdLK4J/Y

    Score
    10/10
    dcratgurcuxmrigdiscoveryevasionexecutioninfostealerminerpersistenceratspywarestealerthemidatrojan

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

      stealergurcu

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • XMRig Miner payload

      miner

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Blocklisted process makes network request

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

2
T1112

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

6
T1012

Remote System Discovery

1
T1018

System Information Discovery

5
T1082

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.