General

  • Target

    czxczc.zip

  • Size

    46.1MB

  • Sample

    250311-jzs85axj12

  • MD5

    3f9c71c4bb3893b54348f89b52d1a5ff

  • SHA1

    aedd643857ad781decc22e18f24100c1868edb6e

  • SHA256

    242c30685ccdc13d7018d55be7885a45226f41e59823d13aff20c791dc3764a5

  • SHA512

    96a9e56812d6509c1009f3d360b9a8f785e8f8e689b9250793831eb6a80ddc7dcce50e914a2504a0253021aa06d227b800320e03ba6b86c81c6394d23ef7aad0

  • SSDEEP

    786432:AOHDyeg9U0Kh+m2Q2ACu6BM30UGnOwqHsYV5Z+huLs6ujbVfO4Q30Uo30UpCACW:AOH+Q+m2QJRJ3wqHtV5khuI6ujpf5eJM

Malware Config

Extracted

Family

xenorat

C2

172.22.88.67

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    5000

  • install_path

    temp

  • port

    4444

  • startup_name

    nothingset

Extracted

Family

xworm

Version

5.0

C2

92.255.57.221:4414

92.255.85.66:7000

aes.plain
aes.plain

Extracted

Family

nanocore

Version

1.2.2.0

C2

sysupdate24.ddns.net:45400

Mutex

ae82ab7f-db07-49ee-9d2b-76075d76f37f

Attributes
  • activate_away_mode

    true

  • backup_connection_host

  • backup_dns_server

  • buffer_size

    65535

  • build_time

    2020-04-24T17:41:53.492468936Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    45400

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    ae82ab7f-db07-49ee-9d2b-76075d76f37f

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    sysupdate24.ddns.net

  • primary_dns_server

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Targets

    • Target

      be6660f0cb82b31a71ed8e383244e85ff881749b97ebad0806017351d8229daf

    • Size

      213KB

    • MD5

      0684b702191e6427ad069f0b2eea4cc8

    • SHA1

      80f16aedde1eb72d2a839f7f1ab6d8b5c9ffe0f3

    • SHA256

      be6660f0cb82b31a71ed8e383244e85ff881749b97ebad0806017351d8229daf

    • SHA512

      b4726cfa9c0209ccc6bb4a6b8c5092be1691957290db808581b514e20b07c14fcddf9f14ca75f25f57014a6b28334dacb727527d1edb790f167cd35d4e661fbb

    • SSDEEP

      6144:zgu0c4uUfX8fyVV+ZRH8rq9JrKbRG1EK1:zr0tPP48rq9Jr1

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Stormkitty family

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      becefadddd4747997c651d85e420a744d675e13b9604c4338dd88c63f3390f9e

    • Size

      13.1MB

    • MD5

      7b1602f93628785191a0f68d93e21a9d

    • SHA1

      99426b0dd8ea741b538ad49e7d35c4439fc7bed1

    • SHA256

      becefadddd4747997c651d85e420a744d675e13b9604c4338dd88c63f3390f9e

    • SHA512

      61443153e8b4305f1ff9070a50952c88d3866304993b6c5e1207239706958a5db188cee1fd53079636e5cd519d6c457bc36bec74a0a51a4e0108bd41bc8426bd

    • SSDEEP

      196608:Rb9+/BAe1d4ihvy85JZIRc3bSL1kehn4ilje:MyIZIfRka4i

    Score
    1/10
    • Target

      c50a2f764ee11a1417cbef69a9212ab188c207cf5b4fa0092345e20fd2159aff

    • Size

      1.4MB

    • MD5

      83a6b265f1005bddd521aaa46816e4eb

    • SHA1

      501e6fcdb6fcdf13a07611c8ba5b2a6ca984bd73

    • SHA256

      c50a2f764ee11a1417cbef69a9212ab188c207cf5b4fa0092345e20fd2159aff

    • SHA512

      0fcff368c6c6e3cc9275c4ddbd27324b9f627a0119c2760ffb6edc996143778769db5d713504ee411ca4351f683e3120a38011b5dea6d3af6081bb272a295699

    • SSDEEP

      24576:GS5fJN69Uqb5pVamw1Z8gDYgKkllGsTOehnRofCO3T3G4RRRtfBz+:GS5G9UqXm3DpKklQC2jRRtfB

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Drops file in System32 directory

    • Target

      c9883d323f76b9e9bb3b8462786e51e5f1234b782e14aff683dc18d1d2936b75

    • Size

      45KB

    • MD5

      0e329e5c31937eb3484eeca9fc505f8e

    • SHA1

      786352c168b3d82c99f819b6b2b5a433abe26bfb

    • SHA256

      c9883d323f76b9e9bb3b8462786e51e5f1234b782e14aff683dc18d1d2936b75

    • SHA512

      de9baab5cc565138ef117960c311f0e9a39cfe399d8347b106e393505a8667d344178f76b67783b390f00a96e25347c28e6d1b597f118cc4e075f4858c5f0a2a

    • SSDEEP

      768:SdhO/poiiUcjlJIn/lH9Xqk5nWEZ5SbTDaMWI7CPW5h:0w+jjgn9H9XqcnW85SbTFWI5

    • Detect XenoRat Payload

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Xenorat family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      cc41f8538c683d5bc60bcb27f1860b973b9401746aa2eece645deef2b18fb5ef

    • Size

      1.1MB

    • MD5

      990043982028299622b21e759bc3833f

    • SHA1

      5a7d8544ec7eb6446cce47069e376407f2d9f66e

    • SHA256

      cc41f8538c683d5bc60bcb27f1860b973b9401746aa2eece645deef2b18fb5ef

    • SHA512

      fafa0f7f9dcee9012340de46853d6cf11ab610dd26bb42d66da6b83907e278957694f88b2a94c861a549dc8c179c3bff9e75f81a868e19369c316ea7c0a11e79

    • SSDEEP

      12288:amc4TfAkdN7TPPl2Eh8Nv6L1FMCubuoGTeh46qTnnCPQeB89hNuD1hOp1i3l10gR:ah4TbLUEhZL/GspeYhkc9Soh2SfwJ

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops file in System32 directory

    • Target

      cd59232c798f9a5132449a0c05bc1097aaa828442cc719301d5c007d21a884ca

    • Size

      822KB

    • MD5

      cf3c825d462bfc6fec2ae4abff2d13ab

    • SHA1

      b12ba6ccbe04e300796ec4dbec485f0649c9e427

    • SHA256

      cd59232c798f9a5132449a0c05bc1097aaa828442cc719301d5c007d21a884ca

    • SHA512

      ba2f591d2d76200a6750226262b27c59ed259c9afeafbb70b79e3f7570e31e542979f0332c57ced93be19049b2eb0f226da3e7dd5deafe739260e630d92fbc00

    • SSDEEP

      12288:/cZyCM9wN+BEcaVXE35MjpI4s7rql+9s0od6VZsd5t2OtOjkH:zCIza9ja4v0hkddt

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Sectoprat family

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Target

      cd63e31ac9811e1b66db287a4f3c3609ee7f9932d639a1013c8b416f76b5b5bb

    • Size

      231KB

    • MD5

      dabd584c47b475f8db6fb0b34ad9e554

    • SHA1

      58e743b003f171e7e9c492d5e7eb172053a5e00d

    • SHA256

      cd63e31ac9811e1b66db287a4f3c3609ee7f9932d639a1013c8b416f76b5b5bb

    • SHA512

      a64bf4a7e300eeb3e8fcde28eddeafe8f93e2be409c27411ca91e630b7fec2e5abae8ce86f0c4e102da87155c99fd8d842a610e4e54eb4a04d115d801b5bc8a4

    • SSDEEP

      3072:cH027jVPyeWMEv2EG1GZklWiKlOVo4MIG4P/bA52luJGcU53TXbYwEKgNZ/N:cH0WjseWoEG1GZklWiKAVhtbtn3EKgL

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Stormkitty family

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      ce35733ce2ad981f0f879743d2cdb1bc507f662ffac519beb567601428de8dea

    • Size

      108KB

    • MD5

      e214ea00c8b524f44273c00d5073b1d3

    • SHA1

      3ce312fa54828a6ea3ad9f85a9cc0919fe3f42bc

    • SHA256

      ce35733ce2ad981f0f879743d2cdb1bc507f662ffac519beb567601428de8dea

    • SHA512

      905c7af3fe31c0edc7760b33c1a8718d2a00dffcf74b6ebaed462b02e5953c0d8a4c0c62e292b26b94b405c31b3e4d3d1b9e389e35de65489e3bc2764b909292

    • SSDEEP

      3072:KhBAg9dERJjJRME5J6zxW73v3EmddXNH:KhK2dEPLP/6Fy

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      cf8aa638e3982b6f37c4a3070381663b65c0ebca89c394c06728d35ae7239a3e

    • Size

      287KB

    • MD5

      c40f6518162bc072da48b7458bc5d262

    • SHA1

      5a42b3cfae6eab5084b3cf849633bbcc6332b4aa

    • SHA256

      cf8aa638e3982b6f37c4a3070381663b65c0ebca89c394c06728d35ae7239a3e

    • SHA512

      e0fae719b3bba34d103297b452ac2b5c83b5f55edb1b2b49f319904ee9e01657c06ec50200db6af776922f7cb6c771ae6900cc436f2eb2bb40e56024d0481daa

    • SSDEEP

      6144:rTZL7v9ZypbeI78GlOTJm2d+ROzDgFsQIH31y+R8k:rTZKjOQO3s+z

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Suspicious use of SetThreadContext

    • Target

      d25e7c5f45c85782f84f36e2f8ecbf749e9cde440b74c35f5ce0f83036798161

    • Size

      745KB

    • MD5

      02b35215328d4eebc9d0d21cc86a21ad

    • SHA1

      7bcd59758934972c9d9195e53329a022496f5f74

    • SHA256

      d25e7c5f45c85782f84f36e2f8ecbf749e9cde440b74c35f5ce0f83036798161

    • SHA512

      2dca5bfa207f74095e994a2a038e76c2ec8075b91d941f2ee34e11bab69526539d6668c428081068629f3e8b27daea3410d3b9a2dc1705990be4aca44a0934fc

    • SSDEEP

      12288:dUWlJFr/GMpjae92LoUbV4FzSmP+PZ54Gg2glW6O26jGrG6ALW+UNVox9uG:RlrljSVEzvP+5DbglWNjGrG6ALWy

    Score
    1/10
    • Target

      d48d59ae3f5d4b4ee5335361f76cfd61552d3487cfed933c082cb5fe8aef21e2

    • Size

      256KB

    • MD5

      7990da9941139fb5153d1ed7f5797bd7

    • SHA1

      c4335993bd072db28c56c4f48ce044816f78c740

    • SHA256

      d48d59ae3f5d4b4ee5335361f76cfd61552d3487cfed933c082cb5fe8aef21e2

    • SHA512

      a0387b8bf00ead7f535fa9d459a19d92c93d142b9d4202561acd7084ba6dbc518a6a0ec1beecd7c2120d1be109e68b6309a96a7132de85cb1fc6b4dc8bb2f46a

    • SSDEEP

      6144:85p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQqQ:EeGUA5YZazpXUmZhJQ

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

    • Nanocore family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

    • Target

      d6ddf456f939a8842e226ad1c5e712a72bc859a5ef65330c6e3f23a36cd44ab4

    • Size

      1.1MB

    • MD5

      5913a8e99883ae74355b7f9884a0e65f

    • SHA1

      6f7b23c2bcf1faf83874664c6fbac6ac696c107f

    • SHA256

      d6ddf456f939a8842e226ad1c5e712a72bc859a5ef65330c6e3f23a36cd44ab4

    • SHA512

      4521f4eb99588f5f7bbb667561a7dc225f557d4385c90114594683eb6b2462dd8a8d8789ab70264811b6e8285586c5ab5c797f88c1c72319e77c12fbbeb87e6d

    • SSDEEP

      24576:ufiwc3MdrDyK2MwMAuVh8nVWqk5BkAmfKvCjK6kVAmgjhT4j/afD63FiD9:uI3MdrGNMsnVQM14CrkVAmgjhkj/OGFO

    Score
    1/10
    • Target

      dbaa0d613dfaed740281038e4710e81d7797bf76c166390d7d8d1bd9f8ecd25a

    • Size

      287KB

    • MD5

      40476125649aba1930032314a87e3337

    • SHA1

      92797f375048d9f578a486c90116863dd1de631c

    • SHA256

      dbaa0d613dfaed740281038e4710e81d7797bf76c166390d7d8d1bd9f8ecd25a

    • SHA512

      5efe796bf9b5019352c1b6a16b78f1ad0b4e56fe81550d4984467a1a93f36a37f26033a78b05aa01275846f1457c5f46b421287980883df0e93cf56f42024458

    • SSDEEP

      6144:RrSO3vos85FjmSGny7h8GRv8SVUAhNaN7:RrSO3vosAFjmSGyaGRUSVUAhNaN7

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Suspicious use of SetThreadContext

    • Target

      dbb4048ea093beb4c4c0900c1d67dd8a60e983d5670894498f32fbe711505dbc

    • Size

      268KB

    • MD5

      43f36a944bbcc58c7092643582ea120f

    • SHA1

      91565d256a8206d82138c061f1f46291e45ebce0

    • SHA256

      dbb4048ea093beb4c4c0900c1d67dd8a60e983d5670894498f32fbe711505dbc

    • SHA512

      54db9a608e1cd1d5455e5f3d0fefde4fda91bdf9eaa55e6e53f697261a7d07bedb9688749de23b789fa7982e6dd921f6421e1ecc0a23437e296cd5351feb0b56

    • SSDEEP

      3072:txji6fQ433xVJPLDc99m/YYYYYYYYYYYYYYYY3YYYYYYYYYYYYYYYYYYYYYYYYYb:1fp3hL4IoHKa

    Score
    8/10
    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Target

      dc1188e49519c24dba922916547bef0d1b90a49631b70feeef635f0fc5c9c184

    • Size

      441KB

    • MD5

      c2948bf16ec4696193bfa707ac2516a3

    • SHA1

      ade8504272e0a1895bde6e7bd90aa8866a4a3996

    • SHA256

      dc1188e49519c24dba922916547bef0d1b90a49631b70feeef635f0fc5c9c184

    • SHA512

      d7ff8df88454349ed8aea4289c75bca74abdc4cadf6b9d6f9f2660cd370949644d37dbf879998e0eaa16903b15a7fc7387bbf7aeaf406ae9653fd6ec7f957fc8

    • SSDEEP

      1536:rRAgLFrz8qkxZoMwYty9wUHlDGxutVe9rpGIlBCq2nFlc15f:yqn01G9wGe1p7lBCq2w

    Score
    9/10
    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Target

      dcb399030d04693cb4d089c12b8ddac17c4c793e3c4328c49d00a3640f5f93df

    • Size

      256KB

    • MD5

      d5dd8a2fd7c1bf09b44a1f2a1c8cdca1

    • SHA1

      aa0ec28b8c0b0d3fc5ddfaa3d6a5319237f10640

    • SHA256

      dcb399030d04693cb4d089c12b8ddac17c4c793e3c4328c49d00a3640f5f93df

    • SHA512

      a83d6107ff4eb3e7a4acb46f1880a4bb0f567af705a7c31bcd7e08099f1c855db60f7e5f188a76d979759329231458ccc2d66ca993c198557020a2ef45c81fd5

    • SSDEEP

      6144:85p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQqe:EeGUA5YZazpXUmZhJe

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

    • Nanocore family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

ratstormkittydcratxenoratsectoprat
Score
10/10

behavioral1

stormkittydiscoverystealer
Score
10/10

behavioral2

stormkittycollectiondiscoverypersistenceprivilege_escalationspywarestealer
Score
10/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

dcratexecutioninfostealerpersistencerat
Score
10/10

behavioral6

dcratexecutioninfostealerpersistencerat
Score
10/10

behavioral7

xenoratdiscoveryrattrojan
Score
10/10

behavioral8

xenoratdiscoveryrattrojan
Score
10/10

behavioral9

dcratdefense_evasionexecutioninfostealerpersistencerattrojan
Score
10/10

behavioral10

dcratdefense_evasionexecutioninfostealerpersistencerattrojan
Score
10/10

behavioral11

sectopratcredential_accessdiscoveryratspywarestealertrojan
Score
10/10

behavioral12

sectopratdiscoveryratspywarestealertrojan
Score
10/10

behavioral13

stormkittydiscoverystealer
Score
10/10

behavioral14

stormkittycollectiondiscoverypersistenceprivilege_escalationspywarestealer
Score
10/10

behavioral15

defense_evasiondiscoverypersistenceprivilege_escalation
Score
8/10

behavioral16

defense_evasiondiscoverypersistenceprivilege_escalation
Score
8/10

behavioral17

xwormdiscoveryrattrojan
Score
10/10

behavioral18

xwormdiscoveryrattrojan
Score
10/10

behavioral19

Score
1/10

behavioral20

Score
1/10

behavioral21

discoverypersistence
Score
7/10

behavioral22

nanocoredefense_evasiondiscoverykeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

xwormdiscoveryrattrojan
Score
10/10

behavioral26

xwormdiscoveryrattrojan
Score
10/10

behavioral27

discovery
Score
8/10

behavioral28

discovery
Score
8/10

behavioral29

defense_evasion
Score
9/10

behavioral30

defense_evasion
Score
9/10

behavioral31

discoverypersistence
Score
7/10

behavioral32

nanocoredefense_evasiondiscoverykeyloggerpersistencespywarestealertrojan
Score
10/10