Resubmissions

11/01/2025, 11:21

250111-nf71ds1jbm 9

General

  • Target

    Craxs Rat v7.6.zip

  • Size

    238.6MB

  • Sample

    250111-nf71ds1jbm

  • MD5

    4fc965f4281cd69e8935b5cf3fb3457b

  • SHA1

    684e4444e85e286e7e829a0e464deda0545aba7b

  • SHA256

    b7550146cc837d922681806aeae393e826e437cb423a09b3f74e0c157ee627a6

  • SHA512

    2677161cff174eddf426ef203e88cff8682fa4e5e7c4282b73224ff4859faef093aa33e1f81071b7f0d127d31f20e405a61e1495dadf18d7feb364aa0e028780

  • SSDEEP

    6291456:B6fze2X0LDNd+12U0LMCMGGXykkRm0yP8SkiFrpNA:qey0td+R0LTGVd78kXA

Malware Config

Targets

    • Target

      Craxs Rat v7.6.zip

    • Size

      238.6MB

    • MD5

      4fc965f4281cd69e8935b5cf3fb3457b

    • SHA1

      684e4444e85e286e7e829a0e464deda0545aba7b

    • SHA256

      b7550146cc837d922681806aeae393e826e437cb423a09b3f74e0c157ee627a6

    • SHA512

      2677161cff174eddf426ef203e88cff8682fa4e5e7c4282b73224ff4859faef093aa33e1f81071b7f0d127d31f20e405a61e1495dadf18d7feb364aa0e028780

    • SSDEEP

      6291456:B6fze2X0LDNd+12U0LMCMGGXykkRm0yP8SkiFrpNA:qey0td+R0LTGVd78kXA

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to get system information.

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks