General
-
Target
06293c3726a8b6029225668dcfb8c7e8
-
Size
7.3MB
-
Sample
241107-mv3tjstlaj
-
MD5
06293c3726a8b6029225668dcfb8c7e8
-
SHA1
1db3a38e9cff8b2aec7b73668e6768002c2bddbf
-
SHA256
ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c
-
SHA512
33a80c1dec409c83d82cb9e1149a90ca11024d726b58b83035ab149b22989c4406cacab57adf6da5ce0d49cb393d4c2fcf58cd2491d0b0c0c5382e06bc35f376
-
SSDEEP
196608:68waBBQvE8waBBQv36od0Ntiq0rG6MvF:68waB+88waB+/jwtivrr
Malware Config
Extracted
redline
Lucifer
162.55.169.73:49194
Targets
-
-
Target
06293c3726a8b6029225668dcfb8c7e8
-
Size
7.3MB
-
MD5
06293c3726a8b6029225668dcfb8c7e8
-
SHA1
1db3a38e9cff8b2aec7b73668e6768002c2bddbf
-
SHA256
ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c
-
SHA512
33a80c1dec409c83d82cb9e1149a90ca11024d726b58b83035ab149b22989c4406cacab57adf6da5ce0d49cb393d4c2fcf58cd2491d0b0c0c5382e06bc35f376
-
SSDEEP
196608:68waBBQvE8waBBQv36od0Ntiq0rG6MvF:68waB+88waB+/jwtivrr
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Disables service(s)
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload
-
Sectoprat family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Possible privilege escalation attempt
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
2Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Create or Modify System Process
2Windows Service
2Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Obfuscated Files or Information
1Command Obfuscation
1