Overview

overview

10

Static

static

3

SRTWARE LOADER.zip

windows11-21h2-x64

7

resources/d3d9.bin

windows11-21h2-x64

3

resources/rasplap.dll

windows11-21h2-x64

1

resources/rasppp.dll

windows11-21h2-x64

1

resources/rastapi.dll

windows11-21h2-x64

1

resources/rastls.dll

windows11-21h2-x64

1

resources/...xt.dll

windows11-21h2-x64

1

resources/rdbui.dll

windows11-21h2-x64

1

resources/rdp4vs.dll

windows11-21h2-x64

1

resources/rdpbase.dll

windows11-21h2-x64

1

resources/...ex.dll

windows11-21h2-x64

1

srtware loader.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SRTWARE LOADER.zip

  • Size

    2.0MB

  • Sample

    241109-p896wsvdqj

  • MD5

    4c7a5f378bb2c7828afac7e6ded2da3e

  • SHA1

    5dceb0f41c0642460baf963c3e5ca2a5c1a43305

  • SHA256

    b5f49743e9537684fc2980a4082f8f69a541d961136fa8177f08c673fc064b40

  • SHA512

    983ef330203600268592bdfabb83f4591700b244e9e70974c04933c1fb598ce01afeb6e05e1f3d52803721ec43c43d0646ce7f8631e547ba408f53daa8689376

  • SSDEEP

    49152:lUhTQ0+GZm8e8xVuqBQhFGFXreXyvBYDuDPgyCViF:Cd+GZv7xVRBQmpreXySDuf

Score
10/10
dcratphemedronecredential_accessdiscoveryevasionexecutioninfostealerpersistenceratspywarestealer

Malware Config

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot6588835363:AAFQ228ubBfAgsCooCro8OibbaVCsDtoWIE/sendDocument

Targets

    • Target

      SRTWARE LOADER.zip

    • Size

      2.0MB

    • MD5

      4c7a5f378bb2c7828afac7e6ded2da3e

    • SHA1

      5dceb0f41c0642460baf963c3e5ca2a5c1a43305

    • SHA256

      b5f49743e9537684fc2980a4082f8f69a541d961136fa8177f08c673fc064b40

    • SHA512

      983ef330203600268592bdfabb83f4591700b244e9e70974c04933c1fb598ce01afeb6e05e1f3d52803721ec43c43d0646ce7f8631e547ba408f53daa8689376

    • SSDEEP

      49152:lUhTQ0+GZm8e8xVuqBQhFGFXreXyvBYDuDPgyCViF:Cd+GZv7xVRBQmpreXySDuf

    Score
    7/10
    discovery

    • Executes dropped EXE

    behavioral1

    • Target

      resources/d3d9.bin

    • Size

      383KB

    • MD5

      536843d6a17b56fb975c89676225536f

    • SHA1

      8fa0607c213a8c8d8f27e7ea0bcca8fa749bbe25

    • SHA256

      108a062affe0da9f6137c284823282dc28b650c75609fdfeb731491e8ba39679

    • SHA512

      a2fb98e917a8c40ea7bb34b91ae0effb1c355c19ce9ecdf2b8599bb12463a9850ebdcfbc641085d8b4a4c4fd03752ce109e7f415be1dac3dced150a84e0073d2

    • SSDEEP

      6144:e3j0Ka42hTxDUDDuGUIT4ttfpARtUOYVRFFyAptsV/XkX92HyJR4Gt3mX7I6ysB:0Q1DUDDmtfRV/AZZkN2AR73UI6JB

    Score
    3/10
    behavioral2

    • Target

      resources/rasplap.dll

    • Size

      231KB

    • MD5

      777891e96eb76261fbd6371e871dbe22

    • SHA1

      00dfbde673fb93d7222b0914ded924b1c1f1c26c

    • SHA256

      3e678aa29e0a28353dce4e6320a382d1301c5a11b885334f6fcae6b2cf9a126b

    • SHA512

      c77fe2448a5e6890e2308431f7a357f568aa15647e2238f6d9e9ca002fa2d76aa80ac06f5a3aaef440eef450c1806b2a3d5bb5479d04f534db7910e36e7e85da

    • SSDEEP

      6144:5cDUoKCq+BW4ErUOTMSZVagL1zfi+UKHzu3TjGbUqTao:5KKC4BrxnVau1/qET

    Score
    1/10
    behavioral3

    • Target

      resources/rasppp.dll

    • Size

      326KB

    • MD5

      d89e9b7dbfb864c35b5fa79a30cf4ddd

    • SHA1

      4c205ffe822f47945271ce057f9ed1d1d365bf44

    • SHA256

      b798371bbd8e1fa85f52c64c97af6d9132b8aaff5c3d2ce16765050e16b9391e

    • SHA512

      d16e2cb18bacae9ee15d222e6a437645498b7973a44e4f4a940f935b30dbaeded906ba8a743a8f53f27cc98b878bded42ca6de1fc0993a4a258f0ecb4abc7cb3

    • SSDEEP

      6144:4f2UTkc3FHi6cSw//4QEUxjp+9jZCnBjjt1FHs:Y20317cSw34QEUO9F8

    Score
    1/10
    behavioral4

    • Target

      resources/rastapi.dll

    • Size

      248KB

    • MD5

      984dd148acfdba8b480859c06aef220e

    • SHA1

      a9c9d129123aa8113e38dbcf6beeca5ad606cc85

    • SHA256

      0488f086508091922b45b8e1269024e77385d7f7d10faa6adc6f9d61d8202775

    • SHA512

      9c361e0685ea040451bc5fb9c04526bc7f2438c667b058e14678c3f59251ee4a28ed1d6ae21d6461d07efba099bc7bfeb010338c78e7e1dc0d6ff76b3b15bf31

    • SSDEEP

      6144:rR11WrjvtgiP9+23RQ2OBl8P0tc+S9gB:rR1QrjuA9+MZg

    Score
    1/10
    behavioral5

    • Target

      resources/rastls.dll

    • Size

      416KB

    • MD5

      317d5c8c2b3e060f791361518ea07207

    • SHA1

      38ac076a21fb230a5d058f6b6bfbca1441b1e161

    • SHA256

      b453da79cfc66854e29be3325ffdca99d4882da3243fc5620ef0fac305dcc34b

    • SHA512

      89f6427f141f0116baeabe230e812374081c847ad8dacd5f6fb19d35d91d55b9a130eacbcf95012f85d9f2d0b5a3cdf9416bb873c82111381bb2402dd839c15e

    • SSDEEP

      6144:aGUIu4YVb2lg2zi7a5hQhZ0eGN4c6fVtsIVGd69tjxFJyTUyW5ooVKZtkuZwhSZI:aaurb2lo7aHb6NeUTMTUHQtDUFH

    Score
    1/10
    behavioral6

    • Target

      resources/rastlsext.dll

    • Size

      255KB

    • MD5

      626ba8f4cb9f2819c103096cc4566170

    • SHA1

      5e150897c858a7a7a6ff9e8198cf721b08fc1d60

    • SHA256

      5f0d8a1a6e68bf7a96e3c86af7826a14c9964f1c04b73c0d5095c23c2d85edba

    • SHA512

      e918e8dafcacca87b77d11e720731b0129fe1e59f34439742b898a1e1e90e438ce7017df55827085092120d7f23f259f6ffe7c06908e0cbdce48b6ebafebe721

    • SSDEEP

      6144:WRwgeAYiSZ2jTpkobsWRb5jjOTCWgOx8qBtl:fgepLUTHRxjYp

    Score
    1/10
    behavioral7

    • Target

      resources/rdbui.dll

    • Size

      656KB

    • MD5

      94c44ebe808104532f32b7eb95fff7ab

    • SHA1

      5b75d6be3fa75588446fb2baa4099b8ca63bc017

    • SHA256

      391e84570831c75d134b7beed3163bf2ad5c4d93f15435fbe52e6f25513a94a3

    • SHA512

      4ccdbcea1c0cdd42936d5bb49b534a0abc9ca6cb384929f8e0a409b01578540114a6be7754946be124ee5f05ce505698a7a66c4e80c36482c23d3b6065f9bde4

    • SSDEEP

      12288:tYoxhI+IE1n8HUTNdY5FyAziZz7d+HCOMusI+IRhXDpqsk0oxKa2Ql:tFxhIv4t8FPCz5+gvIRVDpqsklxKSl

    Score
    1/10
    behavioral8

    • Target

      resources/rdp4vs.dll

    • Size

      127KB

    • MD5

      c34b2495e929aaf9a584923de4bf9c79

    • SHA1

      fea6b422e100310e3a732726c007b333e5e41f47

    • SHA256

      4a387ada622376e0fa40ec3161a9176cc3ebbeb08d24e5b78c78036db4e66807

    • SHA512

      633430fce8a061c87d704e921f51829f214bfaa13127632dc16db5081385aa093dea1ca5e15d0b1e64deefad29cd19d25c553c11d2b62c81d7bc93b1d03f39f0

    • SSDEEP

      3072:bm/HbILkzYa7tBE7klI9I+mODrDWplnjK9:b07z87BI3UD

    Score
    1/10
    behavioral9

    • Target

      resources/rdpbase.dll

    • Size

      1.5MB

    • MD5

      7e4f9e617f4cff7b67a879e08cd3b9fc

    • SHA1

      dd5d8d76a6e6f098455a6d6371771782956fb95f

    • SHA256

      15114a1ca11ac55ea2afade44e5dae6f051f708a9d3db30184501552d3ec308a

    • SHA512

      4880f3af72be03370e35967e67cc09db8798f44866d54eb919f3ec1da25298d2a007f078bb50a2fe06ebad89393d1425f17198a3cfc1c248f8852dae3d7dde03

    • SSDEEP

      24576:Ye7RBLEm+7INPIPHsFvUiHiPpShZfuCHAz2qrt9/tQq8xOGYTc8tZVyo2qa3Tk20:Ye7RyuPIPHsFcuiPpShZfPm2q3/tQN03

    Score
    1/10
    behavioral10

    • Target

      resources/rdpcfgex.dll

    • Size

      11KB

    • MD5

      509f4ec6462480ab8289824418b2bd76

    • SHA1

      1e2a4e39eadd7efa6ae39ed9e9a8cc372d2cfde7

    • SHA256

      7e335afb198b0708b2c44011e2cc6e131fb23f2c865fb58cf0c58af4a3903e58

    • SHA512

      30a1ea20a541c0d16393922eeaf3fcdb889f87f72d1be1b3b0007d9bdb356ee4b44208b8cfbe67822b0ebd56769a10aecff2210a642d6f263949cf60eca1c72d

    • SSDEEP

      192:Rrm64rKCcZX/PKxICY7bptRsnlQTIdWVwW5:RC64uCkKiCas6TUWVwW5

    Score
    1/10
    behavioral11

    • Target

      srtware loader.exe

    • Size

      2.0MB

    • MD5

      bf46ce4d79a8b92ca7bcd9d5812d9953

    • SHA1

      2ee8548524b14ff778186a04f4d845c91165e9d7

    • SHA256

      9938ba00ef26ff2e084cb062f4cc2ab5c85261fbddfe4a366fb3a2057e1b8098

    • SHA512

      fba9cbf2e5c3eacacb55f6f947369a24205a92e7c6ea2f357050a20ef7768b242d53343a39dcaf3768955510e63b91096235e612b15687796ec63264c33a28b0

    • SSDEEP

      768:palonD1HAe0yKidgBpZLUliXgxOVXzcfQw7m:pa2nDdQidgBrLG3mqm

    Score
    10/10
    dcratphemedronecredential_accessdiscoveryevasionexecutioninfostealerpersistenceratspywarestealer

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Modifies WinLogon for persistence

      persistence

    • Phemedrone

      An information and wallet stealer written in C#.

      stealerphemedrone

    • Phemedrone family

      phemedrone

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Creates new service(s)

      persistenceexecution

    • Downloads MZ/PE file

    • Stops running service(s)

      evasionexecution

    • Executes dropped EXE

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral12

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

1
T1562

Modify Registry

2
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Query Registry

1
T1012

Remote System Discovery

1
T1018

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks