General
-
Target
SRTWARE LOADER.zip
-
Size
2.1MB
-
Sample
241111-y2axwsymgr
-
MD5
b96f7bad986c9438c2d4fb1cd7cefe50
-
SHA1
2e365a8ec7adbab96160e362452e79f3e693daa8
-
SHA256
f0278f9a1784ea2ed831558adc963c7f8ccf3da06e80d343a21119a5f13adb03
-
SHA512
33feee40f97c0e5a18eff371c254f49bddfca305dd40d4689604ebf25acd75b6d3b8437555089cc1b513eb1668f58b28c69d3d65bd46c85e0accb697672d0a36
-
SSDEEP
49152:042VAVX5l+jtev0SSegJny9lwYdORlg1+NzJsDZPVv:04Xk0OegJyltd6eI1Qd
Static task
static1
Behavioral task
behavioral1
Sample
SRTWARE LOADER.zip
Resource
win11-20241007-en
Malware Config
Extracted
phemedrone
https://api.telegram.org/bot6588835363:AAFQ228ubBfAgsCooCro8OibbaVCsDtoWIE/sendDocument
Targets
-
-
Target
SRTWARE LOADER.zip
-
Size
2.1MB
-
MD5
b96f7bad986c9438c2d4fb1cd7cefe50
-
SHA1
2e365a8ec7adbab96160e362452e79f3e693daa8
-
SHA256
f0278f9a1784ea2ed831558adc963c7f8ccf3da06e80d343a21119a5f13adb03
-
SHA512
33feee40f97c0e5a18eff371c254f49bddfca305dd40d4689604ebf25acd75b6d3b8437555089cc1b513eb1668f58b28c69d3d65bd46c85e0accb697672d0a36
-
SSDEEP
49152:042VAVX5l+jtev0SSegJny9lwYdORlg1+NzJsDZPVv:04Xk0OegJyltd6eI1Qd
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Phemedrone family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1System Services
2Service Execution
2Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3