General
-
Target
Testing (4).zip
-
Size
5.9MB
-
Sample
241124-cdg6eatrdk
-
MD5
695d4ce0d09b895d3bcb76f12dbc8500
-
SHA1
10ab3ecfacec5bbef521a1fb2dbe7cb8d4543db2
-
SHA256
28d0e507702ae894ef549d90e981d965e73dddb9ae0f80ce607a60f5beab1d6f
-
SHA512
75bce4480d136e61b3bde3d2a07995f9a528f5217e5ef10655b394f457e563df00730ffac592648dd945b75aebd024318c8afa11a4071c899c79b1a4a16264db
-
SSDEEP
98304:VYhsAjqphjdMXv8Xg1qdPNGWI833edIVEXYxssdOTyc4Fh+LhwgLUpjbk387dYu6:qsAW7jakwUGbE3edIqB2c4FIhwg6/y6M
Behavioral task
behavioral1
Sample
Testing (4).zip
Resource
win11-20241007-en
Malware Config
Extracted
discordrat
-
discord_token
MTMwOTg3NTA0MzA1MTg5Njk1NA.GTR-3U.C7tazMXoRaSR--tVDMbQdoDKBw2f8bLXItZIRo
-
server_id
1309876526615101530
Extracted
meduza
109.107.181.162
-
anti_dbg
true
-
anti_vm
true
-
build_name
761
-
extensions
none
-
grabber_max_size
1.048576e+06
-
links
none
-
port
15666
-
self_destruct
true
Extracted
amadey
5.04
4bee07
http://185.215.113.209
-
install_dir
fc9e0aaab7
-
install_file
defnur.exe
-
strings_key
191655f008adc880f91bfc85bc56db54
-
url_paths
/Fru7Nk9/index.php
Targets
-
-
Target
Testing (4).zip
-
Size
5.9MB
-
MD5
695d4ce0d09b895d3bcb76f12dbc8500
-
SHA1
10ab3ecfacec5bbef521a1fb2dbe7cb8d4543db2
-
SHA256
28d0e507702ae894ef549d90e981d965e73dddb9ae0f80ce607a60f5beab1d6f
-
SHA512
75bce4480d136e61b3bde3d2a07995f9a528f5217e5ef10655b394f457e563df00730ffac592648dd945b75aebd024318c8afa11a4071c899c79b1a4a16264db
-
SSDEEP
98304:VYhsAjqphjdMXv8Xg1qdPNGWI833edIVEXYxssdOTyc4Fh+LhwgLUpjbk387dYu6:qsAW7jakwUGbE3edIqB2c4FIhwg6/y6M
-
Amadey family
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Discordrat family
-
Meduza Stealer payload
-
Meduza family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
A potential corporate email address has been identified in the URL: [email protected]
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Query Registry
7Remote System Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
2