Overview

overview

10

Static

static

3

NeverLose Loader.exe

windows7-x64

10

NeverLose Loader.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    24s
  • max time network
    18s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/12/2024, 13:30 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NeverLose Loader.exe

  • Size

    2.8MB

  • MD5

    a35bacaf176f367bd51ed22782dc5519

  • SHA1

    99fdd147469d0392fc2a8fcc714206a70c3961db

  • SHA256

    9fc8c881c65e76927632323529b5186fb552d22fa4b52b6ac82165728aa02f9f

  • SHA512

    b33b4452cccd762eead94b90244e2aaefa9f5fcca45dba761d5e28a28a2bbc3ef201b2e1f187df6e66949fb501f1edb31f7d9634dfa7dd17bb7050142a31b51a

  • SSDEEP

    49152:tBUnRxbHAr0MmN6vm2H0MvnoxhRb4q3WO/PVdxfgz6:n2RxbHyfH0MvnonRbZ5Vd5o6

Score
10/10
dcratdiscoveryinfostealerpersistencerat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\NeverLose Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\NeverLose Loader.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\agentsavesSessioncrt\wvAy3g2cwUA0WlAR67rDwx6ilqeJ3huGsrpLtUKpTSpXZqeLmD5jcZq.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4720
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\agentsavesSessioncrt\fqPjTa5dmPVCKdRywzd7JYZCOwyT6TkVbtC1AmfVOodlKWVPvDa.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4892
        • C:\agentsavesSessioncrt\hyperBlockServerSavesSession.exe
          "C:\agentsavesSessioncrt/hyperBlockServerSavesSession.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2748
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zklvxjjd\zklvxjjd.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:380
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE733.tmp" "c:\Windows\System32\CSC64A9DA5E912B45C380D89BBEBED6B8C9.TMP"
              6⤵
                PID:1228
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2176
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\agentsavesSessioncrt\TextInputHost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4804
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\agentsavesSessioncrt\TextInputHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1648
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\agentsavesSessioncrt\TextInputHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3980

      Network

      • flag-us
        DNS
        8.8.8.8.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        8.8.8.8.in-addr.arpa
        IN PTR
        Response
        8.8.8.8.in-addr.arpa
        IN PTR
        dnsgoogle
      • flag-us
        DNS
        217.106.137.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        217.106.137.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        83.210.23.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        83.210.23.2.in-addr.arpa
        IN PTR
        Response
        83.210.23.2.in-addr.arpa
        IN PTR
        a2-23-210-83deploystaticakamaitechnologiescom
      • flag-us
        DNS
        95.221.229.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        95.221.229.192.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        14.160.190.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        14.160.190.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        13.86.106.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        13.86.106.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        28.118.140.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        28.118.140.52.in-addr.arpa
        IN PTR
        Response
      No results found
      • 8.8.8.8:53
        8.8.8.8.in-addr.arpa
        dns
        66 B
         90 B
         1
        1

        DNS Request

        8.8.8.8.in-addr.arpa

      • 8.8.8.8:53
        217.106.137.52.in-addr.arpa
        dns
        73 B
         147 B
         1
        1

        DNS Request

        217.106.137.52.in-addr.arpa

      • 8.8.8.8:53
        83.210.23.2.in-addr.arpa
        dns
        70 B
         133 B
         1
        1

        DNS Request

        83.210.23.2.in-addr.arpa

      • 8.8.8.8:53
        95.221.229.192.in-addr.arpa
        dns
        73 B
         144 B
         1
        1

        DNS Request

        95.221.229.192.in-addr.arpa

      • 8.8.8.8:53
        14.160.190.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        14.160.190.20.in-addr.arpa

      • 8.8.8.8:53
        13.86.106.20.in-addr.arpa
        dns
        71 B
         157 B
         1
        1

        DNS Request

        13.86.106.20.in-addr.arpa

      • 8.8.8.8:53
        28.118.140.52.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        28.118.140.52.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RESE733.tmp
        Filesize

        1KB

        MD5

        616b1ca7043b460eb8509579739269dc

        SHA1

        d373c0154cb2d5811fdc465951b5531c937c9fa2

        SHA256

        c8658d76547b54703bac347d7248674bd16d1c6e9aa3bedceadec9b68f40a9a2

        SHA512

        d71422a2ae3ebdd77190dd26ce2e1d1f31acae87327827cb3e8f9d328bbc900475768ae51e351f7f798f72a6c2d00564b0fc9da8cc70d0290cb0fc9e843c0b95

        Download Submit

      • C:\agentsavesSessioncrt\fqPjTa5dmPVCKdRywzd7JYZCOwyT6TkVbtC1AmfVOodlKWVPvDa.bat
        Filesize

        103B

        MD5

        ebe4c21126c470353bc85eac1cef774a

        SHA1

        ee65d9ffab4a9d4781feb71d087a946bd64476cb

        SHA256

        27dc735359b7b713506b5a2dbacbbdb43d296f0cc4f11f374b59d605ec4f64e0

        SHA512

        67b2b033fb58cd3df39a1b7741d14729ef092d21c142c0a06611eed6479000ca29595496624b8d2acf43041ef8332e4cb66923d10b9b6a29dc29e9e007885f13

        Download Submit

      • C:\agentsavesSessioncrt\hyperBlockServerSavesSession.exe
        Filesize

        2.3MB

        MD5

        22a0f7e0137b38061bcea6990ea2b3d8

        SHA1

        65b9d717a7a53df2bd8c58351510033e771cfd02

        SHA256

        ad7b5a48b29168ac72ab4d887e21021c3c63d4320de8b0b88ae8d295c98a051e

        SHA512

        192acb8169f883ece3af2c83eacef49bc6fa465bbe943b3716af785e8bb4bc959fe7e6457b14bb5474adba6fd5f18fc9e30bf2a1a63b5147d0dca5e52681ae25

        Download Submit

      • C:\agentsavesSessioncrt\wvAy3g2cwUA0WlAR67rDwx6ilqeJ3huGsrpLtUKpTSpXZqeLmD5jcZq.vbe
        Filesize

        250B

        MD5

        a0513e519e74038b3105c6da2ab0d334

        SHA1

        6c5f7f413c19c0f7c2584e706a60d08c27823e36

        SHA256

        3ed9c9074b5448cb4fdc13904739407317f5e083eda10b4ab6145888ffa12033

        SHA512

        222c2107dcfc29a0e0a05a5378ac38a564c175868d9a9428de4610cff53b35c16dee575e4d63eb427ad23bcaec7a8649167b4918aaf18e78bf7329a6c2e3b877

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\zklvxjjd\zklvxjjd.0.cs
        Filesize

        373B

        MD5

        88fac8c11bfa1d3d9760f01a8102a18b

        SHA1

        082b3403249570f33844ebd4ee1836c3b649be1d

        SHA256

        35314d50c7c404da406f186f75740a4c96ce3f2c5ac03ec739dcab8e420151e3

        SHA512

        ea0dcdb390c48d2c7a2e4557ad46e2fae4212c4e46a4d0a7ac4da49ab41209e2ba9906d3f417d269a22bc31dfc2f27ffa9043bb9e664b0303d2afb153b8b212a

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\zklvxjjd\zklvxjjd.cmdline
        Filesize

        235B

        MD5

        25b8e1f70d5c054f5a5450049f0052ad

        SHA1

        998aac474fa791c5a2234fc482309a52028e95ff

        SHA256

        1cf05f8d483aae7d09b83e9eaa6098719ec9b8d9a03311ffe6e4c8fb6124a3eb

        SHA512

        5fdc0e86ebb15c6bd36055a93e3de896c0c21a3e14bcb8a5075a5cf8c2f597d33ff5728d1576eff70eba587313fced6ec462b4dd744f04ea84ff856d5deaad45

        Download Submit

      • \??\c:\Windows\System32\CSC64A9DA5E912B45C380D89BBEBED6B8C9.TMP
        Filesize

        1KB

        MD5

        75e32610d8ef6143201c7c28465fcda9

        SHA1

        b2bae99fade2dda07aecbe1659d184be0fc4e7a6

        SHA256

        97ee1cac3965d9cc55a60f20206f384719431f19ac96bdc52b93a98de51a639b

        SHA512

        b303fb99586efd19a08223ba93472fa6d33fcf9198bbf42fb16ba61001db59e5fd5835ea7696ed34e4004d23fa60697e724e6085d1269d788204bf95dfe46abc

        Download Submit

      • memory/2748-17-0x000000001BE10000-0x000000001BE60000-memory.dmp

        Filesize

        320KB

        Download

      • memory/2748-21-0x000000001BEC0000-0x000000001BF1A000-memory.dmp

        Filesize

        360KB

        Download

      • memory/2748-23-0x0000000001660000-0x0000000001670000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2748-25-0x0000000002F30000-0x0000000002F3C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2748-19-0x00000000030D0000-0x00000000030E8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2748-16-0x00000000030B0000-0x00000000030CC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2748-14-0x0000000001650000-0x000000000165E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2748-12-0x0000000000C00000-0x0000000000E48000-memory.dmp

        Filesize

        2.3MB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.