Overview

overview

10

Static

static

10

CraxsRat 7.4 vip.rar

windows10-2004-x64

3

CraxsRat 7...7z.exe

windows10-2004-x64

3

CraxsRat 7...pt.exe

windows10-2004-x64

3

CraxsRat 7...g.html

windows10-2004-x64

8

CraxsRat 7...at.exe

windows10-2004-x64

10

CraxsRat 7...rk.dll

windows10-2004-x64

8

CraxsRat 7...ys.dll

windows10-2004-x64

8

CraxsRat 7...64.dll

windows10-2004-x64

8

CraxsRat 7...tm.dll

windows10-2004-x64

3

CraxsRat 7...PS.dll

windows10-2004-x64

3

CraxsRat 7...ms.dll

windows10-2004-x64

3

CraxsRat 7...pf.dll

windows10-2004-x64

8

CraxsRat 7...ts.dll

windows10-2004-x64

3

CraxsRat 7...io.dll

windows10-2004-x64

3

CraxsRat 7...on.dll

windows10-2004-x64

3

CraxsRat 7...le.dll

windows10-2004-x64

3

CraxsRat 7...et.dll

windows10-2004-x64

3

CraxsRat 7...xs.dll

windows10-2004-x64

8

CraxsRat 7...7z.dll

windows10-2004-x64

3

CraxsRat 7...7z.exe

windows10-2004-x64

10

CraxsRat 7...or.jar

windows10-2004-x64

3

CraxsRat 7...pt.exe

windows10-2004-x64

10

CraxsRat 7...er.jar

windows10-2004-x64

3

CraxsRat 7...ol.jar

windows10-2004-x64

3

CraxsRat 7...nk.ps1

windows10-2004-x64

3

CraxsRat 7...ni.dll

windows10-2004-x64

3

CraxsRat 7...-1.dll

windows10-2004-x64

6

CraxsRat 7...n-2.pl

windows10-2004-x64

8

CraxsRat 7...n-3.pl

windows10-2004-x64

8

CraxsRat 7...n-6.pl

windows10-2004-x64

8

CraxsRat 7...n-7.pl

windows10-2004-x64

8

CraxsRat 7...n-8.pl

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    CraxsRat 7.4 vip.rar

  • Size

    236.4MB

  • Sample

    250213-v6l9ya1nex

  • MD5

    5378cc408b2d3f042f1376b3b18742a3

  • SHA1

    5bfda77cff8cde4ca0a182101621cb6c98cd766d

  • SHA256

    e77cd8d634bfe58d5760c81f22e1941dc8a79668437112b90c0080c31135e1e6

  • SHA512

    3efae762b2e64bea2513b68d183080589fb0c52cdc6036ffbefeb545e42b5451071fc93f98a2701b1dd99ab95fc85b49767b08d6f895f4383b21a037e9a69f9b

  • SSDEEP

    3145728:hUMRPgf7d5RQ4kRbiMHn/33namohdSlZDTZT25OH5kN4NQ908t24lZT25OZbU3I0:h/RIhD4biMHP3nadTSl/ykkRm0yP8SkM

Score
10/10
xredadwareagilenetbackdoordiscoveryexecutionpersistenceprivilege_escalationstealer

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Targets

    • Target

      CraxsRat 7.4 vip.rar

    • Size

      236.4MB

    • MD5

      5378cc408b2d3f042f1376b3b18742a3

    • SHA1

      5bfda77cff8cde4ca0a182101621cb6c98cd766d

    • SHA256

      e77cd8d634bfe58d5760c81f22e1941dc8a79668437112b90c0080c31135e1e6

    • SHA512

      3efae762b2e64bea2513b68d183080589fb0c52cdc6036ffbefeb545e42b5451071fc93f98a2701b1dd99ab95fc85b49767b08d6f895f4383b21a037e9a69f9b

    • SSDEEP

      3145728:hUMRPgf7d5RQ4kRbiMHn/33namohdSlZDTZT25OH5kN4NQ908t24lZT25OZbU3I0:h/RIhD4biMHP3nadTSl/ykkRm0yP8SkM

    Score
    3/10
    discovery
    behavioral1

    • Target

      CraxsRat 7.4 vip/._cache_7z.exe

    • Size

      329KB

    • MD5

      453821572a13cc6ea0736f9db6424e13

    • SHA1

      5f994bde8db4b658781756eaaca9416909a3a420

    • SHA256

      b8c3871a5d6a473a2e9d08684a481aea7467a97d0a433cf55b127323ef61218f

    • SHA512

      22468064ae306037d2b241e8a985ad5b037b45f6873e364f46d8066018533993e66834288227ae86e94e23511386f0afcf52776060b17dad11dfba4bc333b07a

    • SSDEEP

      6144:qnzsyDn7PDS+FDflUjvJUkbEOyF1rOpsuCOuOff5kYF/lTRHA:q377SKfgvqkbFyFJC5RzH

    Score
    3/10
    discovery
    behavioral2

    • Target

      CraxsRat 7.4 vip/._cache_aapt.exe

    • Size

      1.6MB

    • MD5

      80f136b0642bbc25c7578e0d24d4673b

    • SHA1

      883596e63700c45ab0d4d880b883f687f65c2457

    • SHA256

      aa18b5646881ff3b8ca9879045a1b4a44e2d5b24fbe14486fc8236789de8237a

    • SHA512

      4a95ac6b8d6252b68ccc842e8dd36056d5b0a773a86d4a8234f39cc2195ccec06fc64954655956447dfc27896720c92f8dfa4a39c2bb568c21fcc588723d86fc

    • SSDEEP

      49152:XPNjtbkZdmFxzKyfMKiTYQ0QQQKXQQQQQQQf0Qw:/NjtQZ8Pf1

    Score
    3/10
    discovery
    behavioral3

    • Target

      CraxsRat 7.4 vip/ChangeLog.html

    • Size

      41KB

    • MD5

      2037a83c06d4840b72dc8d6c243a3b02

    • SHA1

      8fa8d97a2fb6cb561bb29ec365076726b4174814

    • SHA256

      c922d1a2550232f01d151571e30827528f939c962db52bd6feb3aa51290e28ab

    • SHA512

      1d3b91ab3988935e7716bb0dd3f550e593748a25720ff4c9a39c8ebd980ac77c94559dcf9685bbfc9e61ddde2e2401367905140dd92cf100cd4ce06182b011dc

    • SSDEEP

      768:aXBgQlr/JTwbXwnTHWKPXpxrTpTDqR2I6YxZbAuM5RkWkFT9RurXuGPoH9oa0zz8:aeQZNwjwTnpxPpTGR2+Zbgf8wLgWzAzl

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral4

    • Target

      CraxsRat 7.4 vip/CraxsRat.exe

    • Size

      65.6MB

    • MD5

      8eeb4cb347b890ede8359248d7dc3cfe

    • SHA1

      dffdf4960d4c6d78ba11848f9871f1d600d49ce0

    • SHA256

      33c1f4e796bb54bb60f6aeae34368febc9424e0db149fab0edd2337782e0557f

    • SHA512

      aacaabc828df2cca15096a9886799fb76f94145b33032635890db1c5cdf5561ea51387272a4b14e66c59e235df9de601fff2cc6665c54492bbf53cbcb06eab42

    • SSDEEP

      786432:Zk+NX10EPRCGZeZLHoA5AKF7zR/t6tKF+iSFgAxTKo2c:S+NX10q8GZeZBAMzttZmFXtIc

    Score
    10/10
    xredagilenetbackdoordiscoverypersistence

    • Xred

      Xred is backdoor written in Delphi.

      backdoorxred

    • Xred family

      xred

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Adds Run key to start application

      persistence
    behavioral5

    • Target

      CraxsRat 7.4 vip/DrakeUI.Framework.dll

    • Size

      1.6MB

    • MD5

      0562b4c97f643306df491a938ae636da

    • SHA1

      0807c37b711374ed4814a9518c9e264517de89a0

    • SHA256

      70e72477f7fe0018e043ce8fe2228a289459058ee41caecd6f05855898bc5b80

    • SHA512

      c969cd274b6bf65a34f1d129b6531616a3485a1f153088609ad2369d380fdec37c3e88a423495912715a26e353dd5498f7f9e73c895e9f3f18fc7d1e65d2ecaf

    • SSDEEP

      24576:nYyUyUxws47SDJ+wfa3ZsacYwzhmT5LOMobxqFFnM9Pv1w+Fus:nYyUyUueD001YwzhmVSMoNqFF

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral6

    • Target

      CraxsRat 7.4 vip/GeoIPCitys.dll

    • Size

      191KB

    • MD5

      c070f2421851420e832e4f5989a775a2

    • SHA1

      d6af3c48ffbe0fa1e0e54860836d3bbf374b8b46

    • SHA256

      d54fd6c5903eea49a75d620d4ba232f8effb1863f5f9c974e4ac0a8fb1904131

    • SHA512

      75c3edeb4c16d8e82eedc5595b9c3fde4cbd4a3e9deae1967ad513474920a48e4e9275fdc76f44032b1be570a4ece1a6393c4680af8989f67bcdec039d06798e

    • SSDEEP

      3072:87IcHKc0TwY4O6BlLiJxTmd9h1+fJ5uJnjpUoh/ht21hYvpMaoySJHPc8E:8dHV0Tn4pox6d9G4k

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral7

    • Target

      CraxsRat 7.4 vip/HVMRun64.dll

    • Size

      3.8MB

    • MD5

      bdc09bd6dc2fc42f33558563ba227b71

    • SHA1

      9040b5b16f5a634a042150985ba16aaca945d189

    • SHA256

      d688f574eeb89ae9438b26386d6f7439af25dac50b5db861f329e0bea8b8b2bb

    • SHA512

      e0543c71f2f4c44b1e69eed97210ab0b6431f41053baee1a80b3b96d04897161621cc4f86fac601e1b45c89579c2da88f24e52038ebf6bae6f771be6fa994f36

    • SSDEEP

      49152:uZF3eODjMYmI6VyduOdWxdQhS1gpccmLkuHqTugtUoVOYOPtwj/RAOLkDfdyhQGL:ub4Y36VydnWbP1KccmLGTY9tpDaN1Hc

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral8

    • Target

      CraxsRat 7.4 vip/HVMRuntm.dll

    • Size

      1.8MB

    • MD5

      9021bc4fd9cc7752687ea1516e8a2294

    • SHA1

      cc169f76ed62e9377130500553d9391a4fa16e9e

    • SHA256

      8c15355190608d6f3e08efab275faca80f34683d489bb382efac8c02797bfaa1

    • SHA512

      e853def48945ad6ba310015010e89cc4058469a3a2e7d5b2b8d438aead520393f0a34d12510fa9e5f2b0d0ec0465da5186eac6c4a6d3df34b0caf1ac594919a8

    • SSDEEP

      49152:HGrO4YmI6VdhlItpy213BMps1vKKo5g5n8qwS32:HGZY36V/6niEiTqn8H

    Score
    3/10
    discovery
    behavioral9

    • Target

      CraxsRat 7.4 vip/LiveCharts.MAPS.dll

    • Size

      53KB

    • MD5

      dfee15e4c6efa37e6645d8b47c8581e0

    • SHA1

      876140e0855fcd15bfb590431fb7b280d1db4a21

    • SHA256

      5b8a9a04f454a2c4da5989fa454a0138d3e5c40712816600f90111b7bf045c40

    • SHA512

      4d0e7b0a5642b649c04e54d89e707ec00e79a0fa282eac19b6097b819652045c3e157763b5b2922a4c2252b0877059ef90eb60038280dbfbef9502f421d739df

    • SSDEEP

      768:r4gOx89xKERw2U11HI+bZO603JLw8MOrNNLSW5/5xTcb2y1ehVHp:rPKB22HIwwFNuC5N6n+VHp

    Score
    3/10
    discovery
    behavioral10

    • Target

      CraxsRat 7.4 vip/LiveCharts.WinForms.dll

    • Size

      19KB

    • MD5

      76c775d09b24798f6923452e920979b5

    • SHA1

      3fe2c79512a0d1153fb07f6640b27106c90d333e

    • SHA256

      a5b61c1726304e6b72e09a0f35ddbf52f89a75a4e28e6ed098c8d1df6081b4ad

    • SHA512

      eacc093f8ac9401f617df7e07fd68a8a0f1f03aa150283de67ad8c338fcb1520b0f07335547cf533a646ff95f239c92b029f952a706e736bcd9508817c9be0f9

    • SSDEEP

      384:F5gNA4m0NkdPbJfGZLifwdNqF8vLvTjzHEhZFUPOxFBVGquJpQ76RqMm:F5gNnrNklJfGZLiAw27jrEhZFyYMm

    Score
    3/10
    discovery
    behavioral11

    • Target

      CraxsRat 7.4 vip/LiveCharts.Wpf.dll

    • Size

      212KB

    • MD5

      e924f79f0b5f3e79c98477d75831813d

    • SHA1

      64f71e20e1953b13c771d8a8e63549ad6d64216e

    • SHA256

      1bdbb1b5c1a50653e5c26161e9b7c03edc518721a6e10ea180a84049d967106b

    • SHA512

      063e9bdbdaf0accb46cef5fdb98b30a97b8a6ba097a80d43a9799ff73e820d1c56d41ca9f71d94497736e3def7fbd0109db4000ab1d9e46cdc96357bf3e15fd1

    • SSDEEP

      6144:d/vd0eaDQcUc0GkiTV3bkACA3AloBtefVt+aA2xgKPo1zlW1w:vaErjGkiTV3bkACA3AloBtefVt+aAGBF

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral12

    • Target

      CraxsRat 7.4 vip/LiveCharts.dll

    • Size

      148KB

    • MD5

      9642899636959b7fc89bf34a8b998a90

    • SHA1

      479a0254d1c9e5565c7d861bb77f54b7eae50c96

    • SHA256

      9fcf89837b60f69c1c501e4cfa4d2860887afd0b8f325803367e795a4e3bc9ca

    • SHA512

      435dccb57ff3e9d0663770768c866838b19fbaa5b8e79de0ca111d9c73276f016e016d1d268f72cf3435ecac122039764fada952e1a4f68f368b492bb866c9a2

    • SSDEEP

      3072:saegvMNVoz3Vlw6/R3z3MV1IdJJGVKWHC2KdxFFT9lzo:VFJlwYMVWY65z

    Score
    3/10
    discovery
    behavioral13

    • Target

      CraxsRat 7.4 vip/NAudio.dll

    • Size

      498KB

    • MD5

      6ca17abccae3050f391401b2955f9333

    • SHA1

      0975b039a793accb58130d6639262cd291d80d5d

    • SHA256

      3ad5d09b4c8c3146d15955a564a9f1a57d7c795b189a25c6f722a738d95ef89c

    • SHA512

      c08f366aae9baf0e7762f47a2f79d0dee5187a1d7631e5838590b7c12911bdeb6247e0ff860ade36e04f1d6717f919ad98df6d3a1a556bff4b8994db9616ccec

    • SSDEEP

      12288:MnXnae2TPlr3zvzar5oRDaw92wP6mai9gs6C:K8lrT+r5ADakP4i9gs

    Score
    3/10
    discovery
    behavioral14

    • Target

      CraxsRat 7.4 vip/Newtonsoft.Json.dll

    • Size

      695KB

    • MD5

      195ffb7167db3219b217c4fd439eedd6

    • SHA1

      1e76e6099570ede620b76ed47cf8d03a936d49f8

    • SHA256

      e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

    • SHA512

      56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

    • SSDEEP

      12288:GBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUO:GBjk38WuBcAbwoA/BkjSHXP36RMG/

    Score
    3/10
    discovery
    behavioral15

    • Target

      CraxsRat 7.4 vip/System.IO.Compression.ZipFile.dll

    • Size

      24KB

    • MD5

      dcda916372128f13ada8b07026c1b3e7

    • SHA1

      99d6c187de8510206a93d2eed9c65e65e0c86e72

    • SHA256

      b5c12e9099643e2eda9b49edd0d98bdaed153c72a7e8e6235d8e78714402d16a

    • SHA512

      d66de5d61cf7090ce2e11ca8064723a44c2fdbd7ed937f1cf4198ebe13083037941b816ad9022d332bbb853666785600fa8b1faca94c498d2f82de73fe1e42f9

    • SSDEEP

      384:dK8Y54xRiW3mWeW+mWE3rq0GftpBj52ERHRN7dldBopPI:dKfemqiuEBHoa

    Score
    3/10
    discovery
    behavioral16

    • Target

      CraxsRat 7.4 vip/WinMM.Net.dll

    • Size

      43KB

    • MD5

      d4b80052c7b4093e10ce1f40ce74f707

    • SHA1

      2494a38f1c0d3a0aa9b31cf0650337cacc655697

    • SHA256

      59e2ac1b79840274bdfcef412a10058654e42f4285d732d1487e65e60ffbfb46

    • SHA512

      3813b81f741ae3adb07ae370e817597ed2803680841ccc7549babb727910c7bff4f8450670d0ca19a0d09e06f133a1aaefecf5b5620e1b0bdb6bcd409982c450

    • SSDEEP

      768:LyasDzF2TDSemqD9tGI+ffwj2Au0LVpqmf7KxcOOrYCPTxqPb85:LyaXKemqD9tGI+ffwj2Au0LVpq4KWrlv

    Score
    3/10
    discovery
    behavioral17

    • Target

      CraxsRat 7.4 vip/craxs.dll

    • Size

      16.4MB

    • MD5

      5bba6bea8e33a42327c93788643ef188

    • SHA1

      deaa84003a8e3a915c15a5e40ebb379b32070281

    • SHA256

      2b0a9f3e24ea4e6672d5c88148140d657ea30794893236b2d52f45a0717befe9

    • SHA512

      3847a650db18ff93b2bdfffed4a1eb34e0c7cb93b098b1f63e69943b744ea5e5ff2dfddf54beddbf8e0091feaa0fd3461dc67164b32dc8e8fe799c7782cc5874

    • SSDEEP

      393216:qnJG4FaCLuvqegSi3g2o56gRpJMWqOjPDWZakhwpZr:Fopsqee3WkEpFPKEki

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral18

    • Target

      CraxsRat 7.4 vip/res/Lib/7z.dll

    • Size

      1.2MB

    • MD5

      34738b1b326c7f65d365a5b33e045662

    • SHA1

      54f86f6d3b5d96584d6d2a76023f3522e09706fe

    • SHA256

      4d61796b499a4177b03e8e36778ec57293bebbf26412c69e19d3248602a2bb8a

    • SHA512

      134faa16f9913d4cfdfb8efdc9cdda6ff6907016e0f46e3f72792cbc183a688fab0484f251efa562639a75582e380b099481d79d6324e5aded0a8041492414ce

    • SSDEEP

      24576:XXm+ENgUCp+R3RuC2HhS6yR1xF2rH8W7f3z9L/SDidq2:HX7cRuC2Q6S36DJuKq

    Score
    3/10
    discovery
    behavioral19

    • Target

      CraxsRat 7.4 vip/res/Lib/7z.exe

    • Size

      1.0MB

    • MD5

      c90af375bc40d0506c16b4ed75efccb6

    • SHA1

      cd29f79b128ba67bc30e44e7a0365c5ffd3be376

    • SHA256

      c6e3aa8b8b76b9e3b9df71b3f31d1b7a23f2a031099aceb68c39f38945b65dc0

    • SHA512

      f0f9e9f6d92ebf20a5303be38e41f66fd052141f04db14ad1d30c974a4e4e70abd51340fe92658563bdb6a7587d9117883241de5bdd123a6e259123869dbabaa

    • SSDEEP

      24576:xnsJ39LyjbJkQFMhmC+6GD9P377SqLk2JC5RzHl:xnsHyjtk2MYC5GDR77k2OHl

    Score
    10/10
    xredbackdoordiscoverypersistence

    • Xred

      Xred is backdoor written in Delphi.

      backdoorxred

    • Xred family

      xred

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral20

    • Target

      CraxsRat 7.4 vip/res/Lib/ApkEditor.jar

    • Size

      2.9MB

    • MD5

      2a86a4e2a358bdef45ebdb9b1ad217b6

    • SHA1

      6f1474287e6e6f4b1264e48eda8b88dfb7b7a47f

    • SHA256

      6bcda26492a031fc63b0d0f7b6b4590ef5017cdecc134ee9768521b03833fe00

    • SHA512

      1e4eec08a13e72567bd2e565ddf08a17d098e470280a057c8d4c31cfd501482fe7e381364f456a31cad1b0dae69e85140111e776bbd4b95c0a450d7d7f82baa0

    • SSDEEP

      49152:R5DHKV0tkwisQD+Dt+C4e/4sLbTJ8Jxi18ZqByspA7P41Mwsw3Ga:Lz00tkw9Qa+BegsLbS3ksP4Nn3h

    Score
    3/10
    discovery
    behavioral21

    • Target

      CraxsRat 7.4 vip/res/Lib/aapt.exe

    • Size

      2.3MB

    • MD5

      380095ec86872cfcab1e1031a16e4750

    • SHA1

      bd5b040d47d16b7847174f9a5ce88732c87aa400

    • SHA256

      7f79865298d3abf371d496a29ad9ae1176d52cebd1635d05ef6d87fb770a6989

    • SHA512

      7aea4411b7892701dc31a980df8b0331804e3206f72dff5f8dba940b4e6250e85181a6c66b78112ba5c835947b223db81f19443f0fc4292d1e605872d1a47201

    • SSDEEP

      49152:ZnsHyjtk2MYC5GDMPNjtbkZdmFxzKyfMKiTYQ0QQQKXQQQQQQQf0Qm:Znsmtk2apNjtQZ8Pfz

    Score
    10/10
    xredbackdoordiscoverypersistence

    • Xred

      Xred is backdoor written in Delphi.

      backdoorxred

    • Xred family

      xred

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral22

    • Target

      CraxsRat 7.4 vip/res/Lib/apksigner.jar

    • Size

      968KB

    • MD5

      16c82bdd120d4b5803deafd3550afa5f

    • SHA1

      c1e0626fe98fdbe2f1d483f99664ec957f44f891

    • SHA256

      ba13fc4122f3c8ef23eed76e13792b033fd0506de90ec3ff1e5773e383eb6f15

    • SHA512

      9918a24392d397a64f39489dba1c73b1576ff1e6bc2c302f3fd7bb037b9f42f620ee90c12ebb625e927543e3163fbc47bcf99c93fde6deb0b9376e171f792bea

    • SSDEEP

      24576:5hCPzWIgo1IhgOBAxoBSTNDGbe48+mrmCJprmhBK5I:5hCbW6jAAks7R6OohBK5I

    Score
    3/10
    discovery
    behavioral23

    • Target

      CraxsRat 7.4 vip/res/Lib/apktool.jar

    • Size

      19.1MB

    • MD5

      361f0c97e34aa93c7c1d8aa3e4828f69

    • SHA1

      f19cead377b1db01b2c7e1348aebb40e071ec548

    • SHA256

      bc2b9a87ac5a86905b6ca343c21a0db3bc37bdd51154bc9cdf65523d95895d34

    • SHA512

      3cab65fe5cdbcc072f486281cbc1efde84eb0ecb5db52bd633c07640bf3f09fb79861df303e9c569f1399aa307226545ff0973039c31c3934a70890c6af5f48e

    • SSDEEP

      393216:CkyM3Zw9Rt5P66rAHKFNn514GWU/zgY6tKJzlWhkvOS4eSa:CHoA5AKF7zR/t6tKF+iSa

    Score
    3/10
    discovery
    behavioral24

    • Target

      CraxsRat 7.4 vip/res/Lib/junk.smali

    • Size

      566KB

    • MD5

      07daa56c012827a2ca40b03e8d3823c6

    • SHA1

      484e0da731ccf4da4e7a52a73c53f70bbb0e1b21

    • SHA256

      d7afac3ee30c639badcbc6b75a9a95222a6e519d53635a4c398fedc7546f4c56

    • SHA512

      29b6879655eb818ec65cb16927a8f2d36a4384a55fb63dbe8de349430ff63757309dda5eaef20ddf43acab6806260c9723da540a86743616e8993edb1532fe4d

    • SSDEEP

      12288:VilFY7VZ8EuJeio/CgCPK28VB081Em7zhZGIklwkLyXbWQs:gn

    Score
    3/10
    discoveryexecution
    behavioral25

    • Target

      CraxsRat 7.4 vip/res/Lib/libaapt2_jni.dll

    • Size

      4.5MB

    • MD5

      e84804160656ee1f7038a7a6fc1da82a

    • SHA1

      05b1f548c81cfd6e61e5828db80511ffb8df690d

    • SHA256

      a439a9bc2981c5f11a2bb75578f66f2b5b6afa328af05f8139321ddfe8322fad

    • SHA512

      ee2780d87bb801ef02f82427aecf0de2c7c496dbd4024edc5ca8d1db393c669b3cb6e263470b38811d905f0bdc7a9f3649d467082e1135710837add13fcddeae

    • SSDEEP

      49152:pqwBh9NbCoGOf3hglVHqyl47Gjt97AQTUVC2q7VgMbryS41CELpm1fUJ65PI6aPA:pUoGOPavHqyv7qaYCYCp

    Score
    3/10
    discovery
    behavioral26

    • Target

      CraxsRat 7.4 vip/res/Lib/libwinpthread-1.dll

    • Size

      76KB

    • MD5

      89c36848e4e5b4b1f38d54ce286f8c77

    • SHA1

      91bcff0258201826a77615bdad7d7315b0885af4

    • SHA256

      3f41452eb1e3aac78fd29e83a530154ff8ae66f2e70a9d54b92ed49b57cdf2fe

    • SHA512

      dde9b72c1396cfdcc74a22989cc10e367cd03b9abee474d647272f6c8e8aa2a6b868804c335bc2773a5e3ba66dd390e7dabe78344b5839c06315b04cc62a5a2d

    • SSDEEP

      1536:dj+7MrgyymQhXeVt3UcffVrl9jETRopN655HhUoEi1zuRvwHd541wQ04Mim3YCgb:dj0MrMmL30TuauRvw921wQ0Pim3YCgma

    Score
    6/10
    adwarediscoverypersistenceprivilege_escalationstealer

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Downloads MZ/PE file

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware

    • Drops file in System32 directory

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation
    behavioral27

    • Target

      CraxsRat 7.4 vip/res/Plugins/Android/gen-2.pl

    • Size

      4KB

    • MD5

      0037f9d6a388db91c980351af4c03b2f

    • SHA1

      9384a65d636944e42c0e93310dacf68dfe016782

    • SHA256

      f0326ad672ec2278750232cc920769710972da0594f45641441a4327a555cb8e

    • SHA512

      6ae67ad4d61ffd437c7b5b6044c6cc2c99b47619e0a7d3338322e3df1181dc66bed393a2466953e5b4eafb8d4b2fd7864e61b04479e74e0ffe1fd8d1cdc6d57e

    • SSDEEP

      96:2Pm57RfU5dE1Yn8RA9O6vUfXDmzWyPVEjCjpHY0e3/:2O5lw8RAU0UfXalNK0xYD

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral28

    • Target

      CraxsRat 7.4 vip/res/Plugins/Android/gen-3.pl

    • Size

      5KB

    • MD5

      a03b010aaedc90001f105b4858a4e8d1

    • SHA1

      44191d7dfea55cf37b6b14193801c90741ebb8cf

    • SHA256

      42c8d417fcc509864d08d42ef61a4926a17010abce6c1f06187acd931a9eeaab

    • SHA512

      8769d8329172a6d95b99056bd0b05ccab41c9b4b9b7efe16f2fb22a3f8acbab98d273a3c6bf2e845934ed58e95a08229f0fe27f78f057ca2c3f2ad547f863145

    • SSDEEP

      96:2Pm571ukquJN67N72vNx+y/NeFyocWiBhpWKvgnJyC5a4h7Ybt:2OauuhI9/8/X+pRvgnJR5a4h0p

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral29

    • Target

      CraxsRat 7.4 vip/res/Plugins/Android/gen-6.pl

    • Size

      7KB

    • MD5

      d324afb827bc0410b7387f2f22d14242

    • SHA1

      bc8e494e86e41bee2ce2add6d0fe8919656a7102

    • SHA256

      69572ff59d2f8b428fa2e5fad4c6abfaa78813b889740a0b17c3bf4ff522f2c7

    • SHA512

      c337ade6028a734922d91e96abf87f889d57ebe825ab0a4c0d927cffb26e38558fc1c3f61ee042f423e639e60637b4b41cd436aebc054df2196868d58bcf428b

    • SSDEEP

      192:2OkFCNbNbSdOYT7Ax0xrUhmE7OH7Vgpet+gfLTkRQi33o+:2pFCNIdO24gr9EiH7V03gfnkq+

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral30

    • Target

      CraxsRat 7.4 vip/res/Plugins/Android/gen-7.pl

    • Size

      5KB

    • MD5

      a9f48543cf1571322f575724a0e8de35

    • SHA1

      edaaf35c07045f0d0376202700d1d3213e42c246

    • SHA256

      3a36e9b32c7bee100d590a31b8e622a229c6168e2fcd95dbd9fa934025e6787b

    • SHA512

      0b7f72c4b68e78f2c73485387a3d6e0d2dc92a2298bf0f737ccf1d4bf508db1e96a164550ed7a3a0a74f99cc89d989e1d28ecd986c4f164a0b22e9760dadadc1

    • SSDEEP

      96:2Pm57cUV8+pZmIjZ9gZdXarsspyqU0H16DN1kvZFgfqYTfTvPNLMrnSkCXeYH/:2OduEmIj8ZdKrQ0HkzkvZFO31YdCuI/

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral31

    • Target

      CraxsRat 7.4 vip/res/Plugins/Android/gen-8.pl

    • Size

      4KB

    • MD5

      767a048eec9220ff6d1434f8a6e6bcff

    • SHA1

      c328487ea7944dd413e6675065a4f22a8b0835eb

    • SHA256

      ed866f146cc3cec59e01c9ec18aa62d25590c9f789ec127c4c8d29350970edeb

    • SHA512

      4bc516c28b4d701153fec415c666f466f21aa095f6ab396cc98f84dadfb20fc60c47a6d6fe52ec43e964bc38fd1ac779e512171c6435f261710f53bdd3e7aa3a

    • SSDEEP

      96:JK+BK+W8yWwp+sT+YEIjxVuakCSq2z50gcBXfj8dPaQnmeCwKGS4AE9Wq:YAK+DrOfOIV7kx/cd8U5e0rZlq

    Score
    8/10
    adwarediscoverypersistenceprivilege_escalationstealer

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Downloads MZ/PE file

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware

    • Drops file in System32 directory

    behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Browser Extensions

1
T1176

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Modify Registry

5
T1112

Credential Access

Discovery

Browser Information Discovery

1
T1217

Query Registry

5
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

agilenetxred
Score
10/10

behavioral1

discovery
Score
3/10

behavioral2

discovery
Score
3/10

behavioral3

discovery
Score
3/10

behavioral4

discovery
Score
8/10

behavioral5

xredagilenetbackdoordiscoverypersistence
Score
10/10

behavioral6

discovery
Score
8/10

behavioral7

discovery
Score
8/10

behavioral8

discovery
Score
8/10

behavioral9

discovery
Score
3/10

behavioral10

discovery
Score
3/10

behavioral11

discovery
Score
3/10

behavioral12

discovery
Score
8/10

behavioral13

discovery
Score
3/10

behavioral14

discovery
Score
3/10

behavioral15

discovery
Score
3/10

behavioral16

discovery
Score
3/10

behavioral17

discovery
Score
3/10

behavioral18

discovery
Score
8/10

behavioral19

discovery
Score
3/10

behavioral20

xredbackdoordiscoverypersistence
Score
10/10

behavioral21

discovery
Score
3/10

behavioral22

xredbackdoordiscoverypersistence
Score
10/10

behavioral23

discovery
Score
3/10

behavioral24

discovery
Score
3/10

behavioral25

discoveryexecution
Score
3/10

behavioral26

discovery
Score
3/10

behavioral27

adwarediscoverypersistenceprivilege_escalationstealer
Score
6/10

behavioral28

discovery
Score
8/10

behavioral29

discovery
Score
8/10

behavioral30

discovery
Score
8/10

behavioral31

discovery
Score
8/10

behavioral32

adwarediscoverypersistenceprivilege_escalationstealer
Score
8/10