Overview

overview

10

Static

static

10

0468a48ea4...66.exe

windows7-x64

10

0468a48ea4...66.exe

windows10-2004-x64

10

04a0d422bf...89.exe

windows7-x64

10

04a0d422bf...89.exe

windows10-2004-x64

10

04b096c64a...8c.exe

windows7-x64

10

04b096c64a...8c.exe

windows10-2004-x64

10

04f053e37f...9e.exe

windows7-x64

7

04f053e37f...9e.exe

windows10-2004-x64

7

051d54e80e...d9.exe

windows7-x64

10

051d54e80e...d9.exe

windows10-2004-x64

10

055434cfbf...10.exe

windows7-x64

10

055434cfbf...10.exe

windows10-2004-x64

10

056237071f...6f.exe

windows7-x64

8

056237071f...6f.exe

windows10-2004-x64

8

05bc9e2415...85.exe

windows7-x64

10

05bc9e2415...85.exe

windows10-2004-x64

10

063e970822...53.exe

windows7-x64

10

063e970822...53.exe

windows10-2004-x64

10

067dba33ec...10.exe

windows7-x64

10

067dba33ec...10.exe

windows10-2004-x64

10

069e1d61a6...6c.exe

windows7-x64

7

069e1d61a6...6c.exe

windows10-2004-x64

7

06abb382ad...1f.exe

windows7-x64

10

06abb382ad...1f.exe

windows10-2004-x64

10

070c765850...3b.exe

windows7-x64

10

070c765850...3b.exe

windows10-2004-x64

10

071dc8716c...f5.exe

windows7-x64

10

071dc8716c...f5.exe

windows10-2004-x64

10

071eca8631...c1.exe

windows7-x64

10

071eca8631...c1.exe

windows10-2004-x64

10

0736e2c073...47.exe

windows7-x64

10

0736e2c073...47.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    archive_2.zip

  • Size

    76.3MB

  • Sample

    250322-g12ksay1dz

  • MD5

    1d61011ad9bf6439f7564a293f32fca4

  • SHA1

    e4c4676b80289846fa98a16c5bebcbbf80af74cc

  • SHA256

    4e5088984e5d2304a531271ae248973b36e6d96a7f48f0dc56a92ffd951452fc

  • SHA512

    ecb60fc9f14af551d25be7cfcd7fb3bb4f51f621c1e3be66f142db1a5061d47c509ea064db7c7b53c92fcbc00dc3024dc4ef064993509e0e72dbf6ed615001e4

  • SSDEEP

    1572864:u1QfeVbVaKlXkbqlqW/xTy6xjrHHaMhbl1ORuMnx1KOblu0CtnjY:aQcaKRkb6Tfjrnzkxx1cV8

Score
10/10
dcratnanocorenjratremcosxwormhostneufcollectioncredential_accessdefense_evasiondiscoveryexecutioninfostealerkeyloggerpersistenceprivilege_escalationratspywarestealertrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

164.92.163.239:2382

Xyxebet-37690.portmap.host:37690
Mutex

snqun1p1UReEjGlM

Attributes
  • install_file

    USB.exe

aes.plain
aes.plain

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Boy12345#

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Extracted

Family

nanocore

Version

1.2.2.0

C2

193.42.96.15:12434

Mutex

7600a863-d6af-487c-b48f-386f2724b9c7

Attributes
  • activate_away_mode

    true

  • backup_connection_host

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2020-05-05T19:09:28.832691936Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    12434

  • default_group

    New Bypass

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    7600a863-d6af-487c-b48f-386f2724b9c7

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    193.42.96.15

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

213.183.58.19:4000

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    read.dat

  • keylog_flag

    false

  • keylog_folder

    CastC

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_sccafsoidz

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

remcos

Botnet

Host

C2

213.183.58.19:4000

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    read.dat

  • keylog_flag

    false

  • keylog_folder

    CastC

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_sccafsoidz

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      0468a48ea4ffed32e73c71ffa2625366.exe

    • Size

      1.1MB

    • MD5

      0468a48ea4ffed32e73c71ffa2625366

    • SHA1

      fce2a3133e4c6885833f8e84294a65862146271b

    • SHA256

      2e7f5d2a70c4101377a196eb3fb3f98ecfb3dccf4687a28294034856c70bd828

    • SHA512

      20ed61c56544bb63f9a3d118d2387f8dbda311326e619457cbc62be9ef91f3fe3ee635cb1bff55510332fafc70e886117adf4bb1b6f9790d0715dcc631d7d5e6

    • SSDEEP

      12288:yz7IFjvelQypyfy7z6u7+4DvbMUsIGoY2hR:yz0FfMz6TEbMUskLR

    Score
    10/10
    collectioncredential_accessdiscoverypersistencespywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe

    • Size

      1.9MB

    • MD5

      414863aa7119c788f473f89650c25803

    • SHA1

      45300792d3fffba9bc35e9f3ff2bd3e42dada29b

    • SHA256

      04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989

    • SHA512

      baabf728513a96c0ba2cc0d1f85177323d26235086de1ec1bef2c7781750d37906e9281cc6344a3024d5a5214590ac09f0efea4ab96222b71e63102511e040b0

    • SSDEEP

      24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD

    Score
    10/10
    defense_evasionexecutiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

      defense_evasiontrojan
    behavioral3behavioral4

    • Target

      04b096c64a6eb8b5b007dc43f98de1de21532931bce3480c452193514e74a88c.exe

    • Size

      604KB

    • MD5

      5a377703eb57160bed70e8a6ba1b2ee4

    • SHA1

      23884f4fbcc38b5987fe7cbdb63c1d8a45fbd8ec

    • SHA256

      04b096c64a6eb8b5b007dc43f98de1de21532931bce3480c452193514e74a88c

    • SHA512

      47985d8bd96dd3e66f08398e611495d679e083de9926112e1c7bbc3899e9132ef7eb478ce6ce5e201d5aeadb542158f18e2a188e5647333a429734576818e9a8

    • SSDEEP

      6144:StT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3riu:O6u7+487IFjvelQypyfy7iu

    Score
    10/10
    collectioncredential_accessdiscoverypersistencespywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      04f053e37f7e0f8045fa590614b885ae3a2ecbd55fe48d886ea6563429fe1a9e.exe

    • Size

      1.4MB

    • MD5

      29683f5b4ad272c624cc2069e9b39573

    • SHA1

      dab6f53e6bf60cdd6ee20850235a85a10d57f28b

    • SHA256

      04f053e37f7e0f8045fa590614b885ae3a2ecbd55fe48d886ea6563429fe1a9e

    • SHA512

      0ea2b3e67766f36d202850b5ad639383285eb93c7f626430b20f40990bd2a7e5f405ec91b782f3e1b12bc255a7637831114df06f753c039bf8774946752a48e5

    • SSDEEP

      24576:n8dvIOVmW6AbPsArkueRKmV3sNlHfiqJIu7:nowONbkBuyKmBs7iu7

    Score
    7/10
    discoverypersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe

    • Size

      1.6MB

    • MD5

      f82f2ef304088a6c70fb7c56d7453d4d

    • SHA1

      ec83164a34f06f452b81cbe1e80481c56dc89d9c

    • SHA256

      051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9

    • SHA512

      cd75c63375de66ea9d6954252058a2e4d89cdb2d54d907424fa72a09c1ab5f3d9d2426eff93090606cf015d71bd7b509bf1eb7d94421811b1b445a15cdb9ddb8

    • SSDEEP

      24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

    Score
    10/10
    dcratexecutioninfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral10behavioral9

    • Target

      055434cfbf05d012a80abe18c0849d10.exe

    • Size

      32KB

    • MD5

      055434cfbf05d012a80abe18c0849d10

    • SHA1

      f624197f1842029b1a8715e6b78de472169d54b5

    • SHA256

      2d59e444a2f354a122d379befc343b3448fa9a38207fee810a7d323b9752c873

    • SHA512

      9e1383659ee465f37e120b554ba6d36340449698030913d48746e0f48e7e6cda2b8634e47c8121263fb49f591b8835907a0440310decad8368802ca47a168cb3

    • SSDEEP

      384:wEbmX5Qa+vN1h1+X3v6JFjL+g93Tm2eaFOL1dRApkFTBLTsOZwpGd2v99IkuisBi:1Va+vNtg+PB93Tw4e1dVFE9j0Ojhmb6

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm
    behavioral11behavioral12

    • Target

      056237071f0dd2efe7935111ddc88a6f.exe

    • Size

      867KB

    • MD5

      056237071f0dd2efe7935111ddc88a6f

    • SHA1

      cd1a1e69a5e4a670f6cd715b1b97abda66910671

    • SHA256

      91a1daecc64b2c6b6ebab79a7d19cbf817408842f1cc5d7b3bc932122648d3ac

    • SHA512

      9fe232523e47dabc19a63570596e2805a67c5b09db31d63efa8126b8de164e1e4c898e31c8a9ef808e895286e26438f0cd20b64198c5fcc6de8709a5567130a7

    • SSDEEP

      24576:LXLCsdURnaEzW8kmpCh1x5fJFWGWj2H92nkYNF:LXLCsy8FYpChtJFhi2djCF

    Score
    8/10
    discoveryexecution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

    • Target

      05bc9e241595cfb8331b3a2206ccd183c0419bbc06afdc5a6c89f1eb83180e85.exe

    • Size

      1.0MB

    • MD5

      574a944348e8e2d96ae312581fd246b2

    • SHA1

      42e7c19b9e96a16c8e45e7bd0110106a2f2a22a9

    • SHA256

      05bc9e241595cfb8331b3a2206ccd183c0419bbc06afdc5a6c89f1eb83180e85

    • SHA512

      5970d4d4d339719e9e7551392a6fb901994aa6aeecab9541ac70fb2672d0dc46c4660b817fcdc314942dac460ac43c8a8164d30ac26ee3a761779b5b06826018

    • SSDEEP

      12288:Pz7IFjvelQypyfy7z6u7+4DvbMUsIGoHuxOH2:Pz0FfMz6TEbMUskHqOW

    Score
    10/10
    collectioncredential_accessdiscoverypersistencespywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

    • Target

      063e9708222c323c44aac51f2f7add53.exe

    • Size

      113KB

    • MD5

      063e9708222c323c44aac51f2f7add53

    • SHA1

      90084863c7fceaa91404df0d91fa57121e74456a

    • SHA256

      06841cacdd0b48bce9eefc97e6c6449201321f95e3d5c0a2b5aff7cd97124051

    • SHA512

      4f5dd00bd5a36c1b8e087695afc4441af69c7bc6328f121e99d1f80b5571b1ba684ae33cdb253c0a8065d264ee83d513977cf36102f70868cbfd569348a69500

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMd:P5eznsjsguGDFqGZ2rd

    Score
    10/10
    njratneufdefense_evasiondiscoverypersistenceprivilege_escalationtrojan

    • Njrat family

      njrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      067dba33ec6de2a7e733bb64a32ebb10.exe

    • Size

      5.9MB

    • MD5

      067dba33ec6de2a7e733bb64a32ebb10

    • SHA1

      dbc8075ee823d50d3a6a058d582ee417e51b32fb

    • SHA256

      268c2bd3bec29465845b7dc6d979a366f4f155e406ce4486ba41953061641f35

    • SHA512

      de4efdcf0984e4368b60e2c52a276d0a4d24aa4348eb46aafc66e47c4729e1c49b0446b5b7a4e3483e4a8437bacace125d0710da9fbac9ad988c8328d7ee088e

    • SSDEEP

      98304:ByeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4V:ByeU11Rvqmu8TWKnF6N/1wU

    Score
    10/10
    dcratdefense_evasionexecutioninfostealerrattrojan

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral19behavioral20

    • Target

      069e1d61a61a6b7eaf2df36bcaf7419205504f4a5d83d82f096ba0f1117f5e6c.exe

    • Size

      369KB

    • MD5

      a71e0ce27c365abe7916712381b3f031

    • SHA1

      8be9eb44fa5d3e122182a6602caee21e2ffd4cdb

    • SHA256

      069e1d61a61a6b7eaf2df36bcaf7419205504f4a5d83d82f096ba0f1117f5e6c

    • SHA512

      b73b16f7e71738813f942bc11685fbb83b15b26a44d67c5f5e33e3587421554182bc16db379f195e7fe9b3a47de039c7fc4585c7784c6b4600e3c225aa9dd12c

    • SSDEEP

      6144:In6zJ4mHcCLCYTnWz79nWz7NYp6hYp6rvDLuimKkBREsVf+3L:b6m2QiQrfqREF

    Score
    7/10
    discovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral21behavioral22

    • Target

      06abb382ad59957f5f38c5c099a3b51f.exe

    • Size

      1.1MB

    • MD5

      06abb382ad59957f5f38c5c099a3b51f

    • SHA1

      28509e4bd32e4fd4bc4d64b8e41ee7bbae1c0087

    • SHA256

      bd7c02ba50734e9ca3988a4f138e3cb72956fdb24583fd7281ecbe9974bf06fd

    • SHA512

      4934fe7ddbb62d1c027fd5999c785733721287ea3d352b44d81386304e16a652086b7b7e30668d630796b2d0347c1276eb5d7a1694252e08b11299a95c8d5da2

    • SSDEEP

      12288:qmc4TfAkdN7TPPl2Eh8Nv6L1FMCubuoGTeh46qTnnCPQeB89hNuD1hOp1i3l10gR:qh4TbLUEhZL/GspeYhkc9Soh2SfwJ

    Score
    10/10
    dcratdefense_evasionexecutioninfostealerpersistencerattrojan

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Drops file in System32 directory

    behavioral23behavioral24

    • Target

      070c765850e2f2bdfda3f7dc34b78fee9ceaedbe535aa29feec8e63afb5e3e3b.exe

    • Size

      1.1MB

    • MD5

      8178e5a952fb588b857dfb7ad3317e6a

    • SHA1

      bd304f931d02f01c5f3aa3a680e633b989ddee11

    • SHA256

      070c765850e2f2bdfda3f7dc34b78fee9ceaedbe535aa29feec8e63afb5e3e3b

    • SHA512

      27f4516b3faebebe03564899ebe542687f69ba6e93917b66151e472ce011ce7e726eb814c5696d9cea28b7cd297bb32bd75a3de6adceb40e6bdacf18591da87e

    • SSDEEP

      12288:d6NE5eSwJu37+GXJpkaI7ShG54v4ahgVY3whNG8/LI6i4ejmtnbAouuFteLBdBN9:d6NReJXJIwvJgVQSoPEzKkLXa

    Score
    10/10
    dcratinfostealerpersistencerat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral25behavioral26

    • Target

      071dc8716c274c05bbebc4900432b8298ad34c138c446fdc7c4144ba9a68fff5.exe

    • Size

      1.0MB

    • MD5

      522cc0dc10567802aba0c427054b2ed8

    • SHA1

      9813d84450aa26419223bc179d06b4282cfc7257

    • SHA256

      071dc8716c274c05bbebc4900432b8298ad34c138c446fdc7c4144ba9a68fff5

    • SHA512

      877482ef9bf01eae4c74c944835a01d9921aa6ae9a483452ef7ff96e0d73101d12d9f96395a99544f3dd818b105b4a4335b95b70e5682ce54e69a79edc1780bb

    • SSDEEP

      12288:Oz7IFjvelQypyfy7z6u7+4DvbMUsIGoHut2k:Oz0FfMz6TEbMUskHm

    Score
    10/10
    collectioncredential_accessdiscoverypersistencespywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral27behavioral28

    • Target

      071eca863103f782de4c5c0b02cd7aba3d8d15e7f44a9c412385b10c1499c7c1.exe

    • Size

      527KB

    • MD5

      01ab4cb898f7adb5049339292d5634e7

    • SHA1

      c142e9cec1ce1208799987621c1adf649f214f09

    • SHA256

      071eca863103f782de4c5c0b02cd7aba3d8d15e7f44a9c412385b10c1499c7c1

    • SHA512

      93a7c41d319f47a6abc2bf06974b004771996b8e5117e30e04cef458544646441c3d4a511687cfd94dbaa3c7c132726f0b01d4f1807defb9b1d586a901439337

    • SSDEEP

      12288:Z9vC7Yi2/SJyf57ZVDV2TNgKKwDQagNL4n+3Z2iN:Z8kSkB7ZVUgHwDKU+3Z1

    Score
    10/10
    nanocoredefense_evasiondiscoverykeyloggerspywarestealertrojan
    behavioral29behavioral30

    • Target

      0736e2c073088395349f1f3c923c211f0d62fcd794181a9dbf6d5366cabc6647.exe

    • Size

      1.9MB

    • MD5

      efeb41149ebe2e2a9c2f65197b26c50e

    • SHA1

      bce5c0489fdcb97e393c8134dbada6f877a6cee8

    • SHA256

      0736e2c073088395349f1f3c923c211f0d62fcd794181a9dbf6d5366cabc6647

    • SHA512

      2a8462a25d2457a362d3d2fcd70480c49ae6dfa30dd699caf4196da91aa47bbd558dc0e4c1bd4270d2069ae88c59de4fb657973ec7b324197c57142e0a3bcf0d

    • SSDEEP

      24576:wD39dlfGQrFUspugRNJI2DJnUw9W/j+BeKJWqwH6K:wF+QrFUBgq25eKu6K

    Score
    10/10
    remcoshostdiscoverypersistenceratspywarestealer

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Modify Registry

4
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

5
T1552

Credentials In Files

4
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Query Registry

2
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks

static1

ratdcratxworm
Score
10/10

behavioral1

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral2

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral3

defense_evasionexecutiontrojan
Score
10/10

behavioral4

defense_evasionexecutiontrojan
Score
10/10

behavioral5

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral6

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral7

discoverypersistence
Score
7/10

behavioral8

discoverypersistence
Score
7/10

behavioral9

dcratexecutioninfostealerrat
Score
10/10

behavioral10

dcratexecutioninfostealerrat
Score
10/10

behavioral11

xwormrattrojan
Score
10/10

behavioral12

xwormrattrojan
Score
10/10

behavioral13

discoveryexecution
Score
8/10

behavioral14

discoveryexecution
Score
8/10

behavioral15

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral16

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral17

njratneufdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral18

njratneufdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral19

dcratdefense_evasionexecutioninfostealerrattrojan
Score
10/10

behavioral20

dcratdefense_evasionexecutioninfostealerrattrojan
Score
10/10

behavioral21

discovery
Score
7/10

behavioral22

discovery
Score
7/10

behavioral23

dcratdefense_evasionexecutioninfostealerpersistencerattrojan
Score
10/10

behavioral24

dcratdefense_evasionexecutioninfostealerpersistencerattrojan
Score
10/10

behavioral25

dcratinfostealerpersistencerat
Score
10/10

behavioral26

dcratinfostealerpersistencerat
Score
10/10

behavioral27

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral28

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral29

nanocoredefense_evasiondiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral30

nanocoredefense_evasiondiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral31

remcoshostdiscoverypersistenceratspywarestealer
Score
10/10

behavioral32

remcoshostdiscoverypersistencerat
Score
10/10