dcrat

Resubmissions

21-08-2024 19:30

240821-x76q3sweqg 10

21-08-2024 17:42

240821-v92h2avgpj 10

12-06-2024 16:01

240612-tgps4a1bqh 10

Sharing

Copy URL

Twitter E-mail

General

Target

MyDoom.zip
Size

7.4MB
Sample

240821-x76q3sweqg
MD5

67a0019ef0d6a0e457151452d6d1e64e
SHA1

f74247dc2feeebc38b2a86e8e919160798b27fd9
SHA256

195688fdc5454fb7f6ba8188015e395bfe86876a9c0e28b818944ee264f0e77c
SHA512

2b03b2523ac6f9fa01cbc38e572cdf8b60e0bd73d48813db0dfdd7df45896622f21a6dc16f6d68a1e062cdb1c8983768d8cef737393e7e91ef31f3509d40c45e
SSDEEP

196608:jZiFnVyuWadlIK+pU3Y40y9InO+K8Lsi2X:1iFnVyuWaP6paY4PuPt2X

Score

10^/10

Malware Config

Targets

- Target
  
  00b9b6cf27deeda8de99d1719ef724808afa92080026df8dd17159be8ea420f7.exe
- Size
  
  879KB
- MD5
  
  af466faccd8bbab030d12caf7b16ea61
- SHA1
  
  e18711fe226d39fe182c45ea1a15ccc587980b67
- SHA256
  
  00b9b6cf27deeda8de99d1719ef724808afa92080026df8dd17159be8ea420f7
- SHA512
  
  2599b3b6db13c14e36bc24980da5457c8788624050ad727d2b1d8975b6405e1a6dfee9829a849900edcc7cc831b69604cce9e6e7e0080835e426df343a1d6e64
- SSDEEP
  
  12288:D+of7uHr7XLo+U90C447TmTWCsNWGHBm++WDzLGfWCayErUUxmptN:Dr7uH3vu0B4OWZxPDnG5ErUn
Score

3^/10

discovery
behavioral1 behavioral2
- Target
  
  05500734fe07ac2b5bc89aa12b090203c4b74851cb0d62bd388f27ec6d6caa81.exe
- Size
  
  15KB
- MD5
  
  32915fef0066f3a580ae9389d83e195f
- SHA1
  
  e000d59d91a6039c28a628ec436f680f41e8ffec
- SHA256
  
  05500734fe07ac2b5bc89aa12b090203c4b74851cb0d62bd388f27ec6d6caa81
- SHA512
  
  57d43daac4bc5d550bed9724dc8c2041111dba3f3a52fca7b688e3d6b64267c34c537b8045d974e007412f504aeb3428f571c360b053faff7c040c4bc235cbd8
- SSDEEP
  
  192:F7r4fe9FV9wQw0XJ58CWuVmcmLQ4k8Md0QiyIWNMrXRkf1ZdDjgXFk3AaDvFmv:FAfe7wQw+4Cc84ZM6eIkf1Z1jgXKHC
Score

1^/10
behavioral3 behavioral4
- Target
  
  0b75e2fadffc45dff940e58f5b6f8d99832426bb880f432f98d853308b29c9c5.exe
- Size
  
  355KB
- MD5
  
  ff4c98aae03f63b8256dd765e99f5934
- SHA1
  
  db774f2c4a2ed02f42effd6016e6ee7b8ae5cfde
- SHA256
  
  0b75e2fadffc45dff940e58f5b6f8d99832426bb880f432f98d853308b29c9c5
- SHA512
  
  eea1f000945adf51217d3b3e6faaa947c683de5c278ce0c7870360d959d65347804b563853d32ce2d49bd6fb0567c9d0d065ee561bb4b16d66af1bbd98197c1d
- SSDEEP
  
  6144:wlZzOaQGDj25OFco79+ITkBXkHQYfrF1aK0FAbw1lZzOR0x0k5kPFOM+11c5K9b:YZTP2kioZD1rUxPZA0x/ksB9b
Score

8^/10

discovery persistence upx
- Drops file in Drivers directory
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral5 behavioral6
- Target
  
  0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
- Size
  
  9.4MB
- MD5
  
  813b749967045532f86e6442447bcd8b
- SHA1
  
  8d0615e7f7ba672a3fc94c05a9451f9d08797af7
- SHA256
  
  0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464
- SHA512
  
  47c16f403ab33ebb9e59c7c3a053dc29d0d654174d2be9153966ad9fc873e641f34ab44c7e38fb4c6fd376b384d4e1da0dacafb384e9abb1c7eb92cb32533877
- SSDEEP
  
  24576:GYx7SFGwWG8/Ad5kybgeK8uQY2ZqR7NlaDbTxnVhv2MMLdGIhJ:IFFbK8q2ZhDbTNv2MuV
Score

10^/10

dcrat discovery infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral7 behavioral8
- Target
  
  1760c5727e5568d3b18a1cbf0d50c311613699af8233c96fb3eee197f438ce9c.exe
- Size
  
  28KB
- MD5
  
  e26570922a9373c1f3a06f647ddd10a4
- SHA1
  
  e0f6853e39e0b9fbcb3062bb7e15b8734b9df9f3
- SHA256
  
  1760c5727e5568d3b18a1cbf0d50c311613699af8233c96fb3eee197f438ce9c
- SHA512
  
  e17a8c1ca8aa6c65106831086f203736b7bdd92c54d2487f381f7d7303a5f3852859935ef55a913dd8856c6015a5f9414308430ae1ff4b5690743025f8ff4c70
- SSDEEP
  
  384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNQ05:Dv8IRRdsxq1DjJcqf8
Score

10^/10

mydoom discovery persistence upx worm
- Detects MyDoom family
- MyDoom
  MyDoom is a Worm that is written in C++.
  worm mydoom
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
behavioral10 behavioral9
- Target
  
  1fe99fb7c527a90826896e695f23e712375358df3c7aa9163af6b96d872a9f81.exe
- Size
  
  21KB
- MD5
  
  26b8bc40d95b979e1e708a9f843242ad
- SHA1
  
  229284e8cb74bbfae647eb160e4188bda3e50721
- SHA256
  
  1fe99fb7c527a90826896e695f23e712375358df3c7aa9163af6b96d872a9f81
- SHA512
  
  e53fb1b351f47227c1568718c99cc78048507518ac823cebccddebdc630845f9c972a746036f67d416275bdb1667d298ddd6a0fd4e0fea4dc096d7c2cfcf0625
- SSDEEP
  
  384:FZcpzCIqdG3A3WUkx38GZDJuJbf1+o44u8gHzU4ek+:SCIqdH/k1ZVcT194jp44eD
Score

10^/10

mydoom discovery persistence upx worm
- Detects MyDoom family
- MyDoom
  MyDoom is a Worm that is written in C++.
  worm mydoom
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
behavioral11 behavioral12
- Target
  
  23361735678f37d77510b22306c727a987f84c87143bb0062f3d76413c36fc98.exe
- Size
  
  21KB
- MD5
  
  3f122d9a0b7a9f1aa8c973d170ee8d55
- SHA1
  
  3fb032e1a7a3a9cc5ce0d5f03fbb7f74a063ce39
- SHA256
  
  23361735678f37d77510b22306c727a987f84c87143bb0062f3d76413c36fc98
- SHA512
  
  25b3db24d20482476e07e29bcee1e231e106d1ec8e36bc390960085595816268ced9c6d392ee21e48c0643801e14c4bb88e1d006fc35467a1abf7b66a423fad4
- SSDEEP
  
  384:FZcpzCIqdG3A3WUkx38GZDJuJbf1+o44u8gHzUEBI:SCIqdH/k1ZVcT194jp4ES
Score

10^/10

mydoom discovery persistence upx worm
- Detects MyDoom family
- MyDoom
  MyDoom is a Worm that is written in C++.
  worm mydoom
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
behavioral13 behavioral14
- Target
  
  2522b83852588bc0f7f620f9b4fe3a9337b9608be335d3958d190275f333df03.exe
- Size
  
  49KB
- MD5
  
  d4aae2114968c886660e4cbf1c694160
- SHA1
  
  c5b6d1ccc5f238686f3be7bfff44c9b612d74efb
- SHA256
  
  2522b83852588bc0f7f620f9b4fe3a9337b9608be335d3958d190275f333df03
- SHA512
  
  69d0c95abcb789b5e638e826c0b827634fb076248c659b1d2d62741383a62510d6ad6b1e6c16ea1a2ab7f2ac271ba56958e0f070def4a33c6bcaacba848c8395
- SSDEEP
  
  768:nqQ07c92/EyTAYtxqfGNC0klI7C8ycYlI5P194jp49w404LY:n87wc1aGNC0klI7CPpIFa69wAY
Score

10^/10

mydoom discovery persistence upx worm
- Detects MyDoom family
- MyDoom
  MyDoom is a Worm that is written in C++.
  worm mydoom
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
behavioral15 behavioral16
- Target
  
  2af6bc16f25822d6d2f1429bc15f3d47f6c0bcb026ba387249d173fc753919b2.exe
- Size
  
  22KB
- MD5
  
  44fad0089dd3b0b481f30486646fd3f0
- SHA1
  
  54a3e4359bedeba0d8747e2bc7e94ebbd48feef3
- SHA256
  
  2af6bc16f25822d6d2f1429bc15f3d47f6c0bcb026ba387249d173fc753919b2
- SHA512
  
  7137de8a76aa91bc921a7334dde182eaa786a42bc5dc7369e9265f9226ea52bedf003e8ba707f297d880828daa5f1183233d985cb98e371eb711c2523a1a0acc
- SSDEEP
  
  384:FZcpzCIqdG3A3WUkx38GZDJuJbf1+o44u8gHzUIegaC3:SCIqdH/k1ZVcT194jp4IegaC3
Score

10^/10

mydoom discovery persistence upx worm
- Detects MyDoom family
- MyDoom
  MyDoom is a Worm that is written in C++.
  worm mydoom
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
behavioral17 behavioral18
- Target
  
  3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe
- Size
  
  41KB
- MD5
  
  3e67d212278e1af5be913d236399fcf6
- SHA1
  
  f993125ed4af1de6a551a6e0843a6d124cd46f27
- SHA256
  
  3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464
- SHA512
  
  f7e6394c9f9fdd6a03c72aaece5b4911cb821680a632f94b622b12d94cff9873d93b2c6604016524bdab4dd6e4b70b532c440f6b296138677be19e078ad23ec7
- SSDEEP
  
  768:/eMc5VwWt1jDkbXdnTOyQxHFO+IxX2P5LIbbcPYir2lAqcdF0i09sy:/q5VwWDjDkdTRqHFOn8tIbbeYiuZIFSl
Score

7^/10

discovery persistence
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
behavioral19 behavioral20
- Target
  
  3db846a796caa001666df8f7cae709fff02f984711b0e70e0e79c457d631b4e5.exe
- Size
  
  41KB
- MD5
  
  b1f6a4cc592f3c9f7d4b69c02ac74d11
- SHA1
  
  db2db17c1d3e2c4f3a45aad9215cc77ed455ffcc
- SHA256
  
  3db846a796caa001666df8f7cae709fff02f984711b0e70e0e79c457d631b4e5
- SHA512
  
  66c3d5cb3c9bf13604748853797e4c1a1eae13d52cdf43f16da0b1b180ad0c10102a2935d4d6bd0549f6e48427c0181cbb07f1ee664274727dff0cc61e5075c5
- SSDEEP
  
  768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q
Score

10^/10

mydoom discovery persistence upx worm
- Detects MyDoom family
- MyDoom
  MyDoom is a Worm that is written in C++.
  worm mydoom
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
behavioral21 behavioral22
- Target
  
  493813116f32ad6f455676cd54e32a2167ece845038202614cbb49e126f5afdc.exe
- Size
  
  21KB
- MD5
  
  fd6deb4cda087d7a60b6b28104fad84b
- SHA1
  
  6826e88b55a2794f9ea72c86bb9cfd084fe2aee9
- SHA256
  
  493813116f32ad6f455676cd54e32a2167ece845038202614cbb49e126f5afdc
- SHA512
  
  afa16663956ffa8d50d7a6622c7cb01d9b01f83c1ef21dfce1eeffc8cc217499e7a78bcea952b59c501caa71b3aaa5b2c144ed30529685efb55266678eb18dc3
- SSDEEP
  
  384:FZcpzCIqdG3A3WUkx38GZDJuJbf1+o44u8gHzUMO2:SCIqdH/k1ZVcT194jp4N2
Score

10^/10

mydoom discovery persistence upx worm
- Detects MyDoom family
- MyDoom
  MyDoom is a Worm that is written in C++.
  worm mydoom
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
behavioral23 behavioral24
- Target
  
  4d61a61265cdd942cff973609170529eaf19579b5d17e64deccbd6f6f1fdfa08.exe
- Size
  
  29KB
- MD5
  
  0d14590170f35263c0e3f0e0e1594720
- SHA1
  
  21414e31724eb95408a4031a0c0508b2a12260e7
- SHA256
  
  4d61a61265cdd942cff973609170529eaf19579b5d17e64deccbd6f6f1fdfa08
- SHA512
  
  76e6fbd04c08b749b46ce1499e15ad58d7bb8d0c20db0a0fae54001f973aaa73e961cf80558c090d31d7f69918562c519c01c2cb441548feca63cea37792aa3c
- SSDEEP
  
  768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/V:AEwVs+0jNDY1qi/qt
Score

10^/10

mydoom discovery persistence upx worm
- Detects MyDoom family
- MyDoom
  MyDoom is a Worm that is written in C++.
  worm mydoom
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
behavioral25 behavioral26
- Target
  
  510827ce687ad00545a1726c25a00f65e7d685b7dcd857fc6f11a0392feee5c5.exe
- Size
  
  28KB
- MD5
  
  6cdec3ccff3c2a0c2602bc89443f865f
- SHA1
  
  cf7ac47ec2e5b261786c9c11d30a09050bf459be
- SHA256
  
  510827ce687ad00545a1726c25a00f65e7d685b7dcd857fc6f11a0392feee5c5
- SHA512
  
  c97f74a3486b1018c2413473a82ca9d1f777c05993c4b3da4adca0006165107c2ecd14251f77e3cfcd8ea3949f64332e35e43648426f750aad8eb597f87370bb
- SSDEEP
  
  384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNanRiEMnY:Dv8IRRdsxq1DjJcqfFRn4Y
Score

10^/10

mydoom discovery persistence upx worm
- Detects MyDoom family
- MyDoom
  MyDoom is a Worm that is written in C++.
  worm mydoom
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
behavioral27 behavioral28
- Target
  
  5642f8bd3bc151349ded1a3c160c037c26194c9da2b7ace5d8ca11cddb57612a.exe
- Size
  
  41KB
- MD5
  
  64276638075d3cab665966be7f366682
- SHA1
  
  3fb9c599d5dc9188332b4a9c0f1262c07ee24699
- SHA256
  
  5642f8bd3bc151349ded1a3c160c037c26194c9da2b7ace5d8ca11cddb57612a
- SHA512
  
  1bbd7440a14f8651ef4433cdda3a48071024838688f8ff88a0688cf56f28854232446f655731a44d1f02f1e572697e132f06c92dfa170825433154042be02826
- SSDEEP
  
  768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q
Score

10^/10

mydoom discovery persistence upx worm
- Detects MyDoom family
- MyDoom
  MyDoom is a Worm that is written in C++.
  worm mydoom
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
behavioral29 behavioral30
- Target
  
  6c37d14d5ad674e4c0fa8df0a999be6b27399936c9ff16f7fb30b802addb7b4c.exe
- Size
  
  28KB
- MD5
  
  e5128ece1b9916a6df7cd56d66c193c2
- SHA1
  
  c99f687b182f3dee71e8434360595832ea431075
- SHA256
  
  6c37d14d5ad674e4c0fa8df0a999be6b27399936c9ff16f7fb30b802addb7b4c
- SHA512
  
  67b9166f33c78140ce2259df9a7bae92e6cae066b7f54cb0ebdec183ef1ffaf958f6cd24b0bb01e2b6a302fb73e9c5c057554c825e1496ef3b679e77dd7715af
- SSDEEP
  
  384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNHS6e:Dv8IRRdsxq1DjJcqfH
Score

10^/10

mydoom discovery persistence upx worm
- Detects MyDoom family
- MyDoom
  MyDoom is a Worm that is written in C++.
  worm mydoom
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Targets

Drops file in Drivers directory

UPX packed file

Adds Run key to start application

Drops file in System32 directory

DCRat payload

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Detects MyDoom family

MyDoom

Executes dropped EXE

UPX packed file

Adds Run key to start application

Detects MyDoom family

MyDoom

UPX packed file

Adds Run key to start application

Detects MyDoom family

MyDoom

UPX packed file

Adds Run key to start application

Detects MyDoom family

MyDoom

UPX packed file

Adds Run key to start application

Detects MyDoom family

MyDoom

UPX packed file

Adds Run key to start application

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Maps connected drives based on registry

Drops file in System32 directory

Detects MyDoom family

MyDoom

Executes dropped EXE

UPX packed file

Adds Run key to start application

Detects MyDoom family

MyDoom

UPX packed file

Adds Run key to start application

Detects MyDoom family

MyDoom

Executes dropped EXE

UPX packed file

Adds Run key to start application

Detects MyDoom family

MyDoom

Executes dropped EXE

UPX packed file

Adds Run key to start application

Detects MyDoom family

MyDoom

Executes dropped EXE

UPX packed file

Adds Run key to start application

Detects MyDoom family

MyDoom

Executes dropped EXE

UPX packed file

Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5