General
-
Target
270723a06c0f917204923693f09cc0d6cd2cc9cefd59fc051cfbf920d26f17d8
-
Size
113KB
-
Sample
241107-zyay6a1ndl
-
MD5
7cf417d06a24c1ade73ec6d8ae589077
-
SHA1
128516790f9c6d8ac1d33a9f1f2b854162d94942
-
SHA256
270723a06c0f917204923693f09cc0d6cd2cc9cefd59fc051cfbf920d26f17d8
-
SHA512
3f5615b04489cfc755e19efc30fe619026dfacd250bb1c1677e1c55ceb6f69a80d0f05760c157696985e1090c34e8e403b453e5680fb981f274bdd66e2fcb5bb
-
SSDEEP
3072:RSb0MKWY3tfR2y+/ESH7V3wy3OcpN4LBzl:44JWGJ+/ESx3wy+c34LBZ
Malware Config
Extracted
orcus
Roblox
89.23.100.155:1337
52641f3c61234743ba12f855fdae3135
-
autostart_method
Registry
-
enable_keylogger
true
-
install_path
%AppData%\Windows\Helper\WinHelper32.exe
-
reconnect_delay
10000
-
registry_keyname
WinHelper32.exe
-
taskscheduler_taskname
WinHelper32
-
watchdog_path
AppData\WinHelperWatchdog.exe
Targets
-
-
Target
270723a06c0f917204923693f09cc0d6cd2cc9cefd59fc051cfbf920d26f17d8
-
Size
113KB
-
MD5
7cf417d06a24c1ade73ec6d8ae589077
-
SHA1
128516790f9c6d8ac1d33a9f1f2b854162d94942
-
SHA256
270723a06c0f917204923693f09cc0d6cd2cc9cefd59fc051cfbf920d26f17d8
-
SHA512
3f5615b04489cfc755e19efc30fe619026dfacd250bb1c1677e1c55ceb6f69a80d0f05760c157696985e1090c34e8e403b453e5680fb981f274bdd66e2fcb5bb
-
SSDEEP
3072:RSb0MKWY3tfR2y+/ESH7V3wy3OcpN4LBzl:44JWGJ+/ESx3wy+c34LBZ
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence
-
Modifies Windows Defender Real-time Protection settings
-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus family
-
Orcus main payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass
-
DCRat payload
-
Orcurs Rat Executable
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Hijack Execution Flow: Executable Installer File Permissions Weakness
Possible Turn off User Account Control's privilege elevation for standard users.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1