dcrat

Sharing

Copy URL

Twitter E-mail

General

Target

4363463463464363463463463.exe.zip
Size

4KB
Sample

241216-f2cglswlhs
MD5

bf2576a51019701d6cb76a8215d7983c
SHA1

e9a0775dfecf74d3156f649486ac1d71c2cd788e
SHA256

c717c5ec497b7e90b14e8b7b4749bfb9950fe6839206b51aa3ba22499573f467
SHA512

2cb818691558f144e15b9bd1d807cb9fe629f976e304abec90422e27f2bc9036257fc20deaf9bb3471eb146d02afc8dfd236323464c412c910e6e844fc76399e
SSDEEP

96:uKFYK1x5W3t+A5PN2ZF9T9lsR+KEwVWICPUFCSC8k1:76W5wt+An2X9MGNIqryU

Malware Config

Extracted

Family

xworm

45.200.148.216:7001

exonic-hacks.com:1920

Attributes

install_file
USB.exe
telegram
https://api.telegram.org/bot7599165338:AAEewD8UlsW6A5a5m2CBqKPN0NOcI0CI6MY/sendMessage?chat_id=6724848271

Extracted

Family

phorphiex

http://185.215.113.66/

http://91.202.233.141/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9

AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z

LdgchXq1sKbAaAJ1EXAPSRBzLb8jnTZstT

MP8GEm8QpYgQYaMo8oM5NQhRBgDGiLZW5Q

4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3ESHude8zUHksQg1h6hHmzY79BS36L91Yn

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2

bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr

bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd

Attributes

mutex
753f85d83d
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

testinghigger-42471.portmap.host:42471

192.168.43.241:4782

Mutex

7a5f2afa-38ce-4bed-8e42-d1108199a2b3

Attributes

encryption_key
0F8B61E5223AD57FA54A04631691138A0F76FAE4
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
wod2
subdirectory
SubDir

Extracted

Family

snakekeylogger

https://api.telegram.org/bot7971510363:AAH477ofdLYaboEb0PeeyOtbxApvVZT953M/sendMessage?chat_id=7405587880

Extracted

Family

redline

Botnet

TG CLOUD @RLREBORN Admin @FATHEROFCARDERS

89.105.223.196:29862

Extracted

Family

lumma

https://sordid-snaked.cyou/api

https://awake-weaves.cyou/api

https://wrathful-jammy.cyou/api

https://debonairnukk.xyz/api

https://diffuculttan.xyz/api

https://effecterectz.xyz/api

https://deafeninggeh.biz/api

https://immureprech.biz/api

https://moutheventushz.shop/api

https://respectabosiz.shop/api

https://bakedstusteeb.shop/api

https://conceszustyb.shop/api

https://nightybinybz.shop/api

https://standartedby.shop/api

https://mutterissuen.shop/api

https://worddosofrm.shop/api

Extracted

Family

quasar

Version

1.4.1

Botnet

botnet

165.227.31.192:22069

193.161.193.99:64425

193.161.193.99:60470

Mutex

713051d4-4ad4-4ad0-b2ed-4ddd8fe2349d

Attributes

encryption_key
684009117DF150EF232A2EE8AE172085964C1CF0
install_name
System.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Office
subdirectory
Winrar

Extracted

Family

risepro

118.194.235.187:50500

Extracted

Family

remcos

Botnet

RemoteHost

192.210.150.26:8787

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-R1T905
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

discordrat

Attributes

discord_token
MTAyOTM3NzcyMzcxNTU1OTQ2NA.G7rtDA.iVKPgXW9sMwRqiFimO_Rdc0nXAigNycwugkM4k
server_id
696661218521251871

Extracted

Family

xworm

Version

5.0

188.190.10.161:4444

Mutex

TSXTkO0pNBdN2KNw

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

82.117.243.110:5173

Mutex

edH11NGQWIdCwvLx00

Attributes

encryption_key
aGPuRaDerdUDJPrAfXtB
install_name
csrss.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Framework
subdirectory
SubDir

Extracted

Family

lumma

https://immureprech.biz/api

Targets

- Target
  
  4363463463464363463463463.exe.bin
- Size
  
  10KB
- MD5
  
  2a94f3960c58c6e70826495f76d00b85
- SHA1
  
  e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
- SHA256
  
  2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
- SHA512
  
  fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
- SSDEEP
  
  192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Score

10^/10

dcrat phorphiex quasar redline snakekeylogger xworm zharkbot office04 tg cloud @rlreborn admin @fatherofcarders botnet credential_access discovery evasion execution infostealer keylogger loader persistence rat spyware stealer trojan upx worm discordrat lumma remcos risepro xmrig botnet office remotehost miner rootkit
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Detect Xworm Payload
- Detects ZharkBot payload
  ZharkBot is a botnet written C++.
- Discord RAT
  A RAT written in C# using Discord as a C2.
  stealer rootkit rat persistence discordrat
- Discordrat family
  discordrat
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Phorphiex family
  phorphiex
- Phorphiex payload
- Phorphiex, Phorpiex
  Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
  worm trojan loader phorphiex
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Risepro family
  risepro
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Snakekeylogger family
  snakekeylogger
- Suspicious use of NtCreateUserProcessOtherParentProcess
- XMRig Miner payload
  miner
- Xmrig family
  xmrig
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- ZharkBot
  ZharkBot is a botnet written C++.
  botnet zharkbot
- Zharkbot family
  zharkbot
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- DCRat payload
  rat
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Uses the VBS compiler for execution
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Enumerates processes with tasklist
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2