dcrat

Sharing

Copy URL

Twitter E-mail

General

Target

archive_53.zip
Size

68.6MB
Sample

250322-g12wjsy1d1
MD5

285490fbf4e0215588b65b740787d17d
SHA1

b3457cc9722f8752a20b2f980770d9b65458b740
SHA256

35916e8b40ec27b8f3a931566a94f5a464dc9e5783c7fca1bdd194e7193bf0d7
SHA512

9c4ec2bc18bc4ac44b63fa4235de214c48912467ae4729b6f949c03ce4f9589368479f43744216b794f9050601c09113a2be3014dbf6ca0c11b16e18282a8f49
SSDEEP

786432:kPwtbgVAw2PUlCh39IZf/COyQ37ja0yQ373bZgC5d+xhFDeplZegOhWGnVnxsxwa:kPEV2f/GQmQZgi9On8w3FuTEaFD

Malware Config

Extracted

Family

xworm

tuesday-losses.gl.at.ply.gg:24249

Attributes

Install_directory
%ProgramData%
install_file
USB.exe

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

xxlxali.ddns.net:1177

googlescholar.ddns.net:5552

Mutex

0f281b12f603c40d203a8a7911c030da

Attributes

reg_key
0f281b12f603c40d203a8a7911c030da
splitter
|'|'|

Extracted

Family

quasar

Attributes

reconnect_delay
5000

Extracted

Family

mercurialgrabber

https://discord.com/api/webhooks/1352074313637040299/DaIqmrl4-RRLnnS_X4wVUPZCmbp3cTSZRQ0dJxZUiP4Pd-ysCQr3xWaGqwaS0KEbQxuh

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
Boy12345#

Targets

- Target
  
  d4f7e0c033fa7006a593674e3052cc35.exe
- Size
  
  81KB
- MD5
  
  d4f7e0c033fa7006a593674e3052cc35
- SHA1
  
  ffb1c70832a502acd3b6227d6ba144bb1408f343
- SHA256
  
  6ffb3314cd915ba817dda62724ff41e1b179a4a6c0cddb9e4c99324027b2cf3a
- SHA512
  
  9eece4d936292af114d3d7aeed1c03322996fcc238ad663d2fcf843e945e5fdf6e425b8d000ffafd95427fd428e5201927097991b7f3bae3e30fc7c45345c804
- SSDEEP
  
  1536:7kP/9kSRQDF0VELVf1aALoF1DEC4bmqoISYksrQQ6P5pbozON1EIkYFV:7kPVc8M1aAUF1DELbT1cozOLE6V
Score

10^/10

xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2
- Target
  
  d57a15943ae8a9e653d5a6c6870271b8.exe
- Size
  
  765KB
- MD5
  
  d57a15943ae8a9e653d5a6c6870271b8
- SHA1
  
  88cbb9608655aff73e6b25f480195d9075bbf90d
- SHA256
  
  f41a34f1928e3fe560dbb50b78edd0c2deed9cf4a7f8be9b80a96d4c3feb6ca4
- SHA512
  
  1c55d91a95176c5cfd125c28b47d8d3253782c64a67b80064f5f350ed5f2b698c17dfa8607665b9e45d892abfb05e81eb41907332e321edb2ad9847b1d2baefa
- SSDEEP
  
  6144:UtT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3rcnKA:Q6u7+487IFjvelQypyfy7cnKA
Score

10^/10

collection credential_access discovery persistence spyware stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  d5b7e88e919915c58afbaad1d7cb2531.exe
- Size
  
  700KB
- MD5
  
  d5b7e88e919915c58afbaad1d7cb2531
- SHA1
  
  fab14c9ad635911f61b1050b2ada480e9936ca59
- SHA256
  
  9462494ac0129d85ae5d2f24597fc4a424f05fa5651513def1c77ddf66b01374
- SHA512
  
  e2a090a2c046e508db11b73d963fe85a644ecad8f380d6f4a9f75c972c2cd60c7295359c85c0cb0407b67a87ec52fa1a31dccc34619c848f2234b5d562c6d293
- SSDEEP
  
  12288:fiBqAJsZ6xFR0yJCjD4wjqSGyVm0YpAxRZGgkdoXAk12grWa7CmWgiWMFMa:fQQExFa2uUwjqSGywdGjZrkdcAkrrCjm
Score

5^/10

discovery
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  d5b9cbc990cc88135ff80a41945ea3c940b8726e286812fbf402dbf5f2f66bbf.exe
- Size
  
  1.4MB
- MD5
  
  c996e9cc8b8f268c29e9be1d41152822
- SHA1
  
  66583f2df41a12f3bb4301137165fbcc64a57552
- SHA256
  
  d5b9cbc990cc88135ff80a41945ea3c940b8726e286812fbf402dbf5f2f66bbf
- SHA512
  
  a94e1ab92b246fdfb79ad6deb780895a4d16ec593073905641ebe098002814e9310531c012c1b4615b5e44cef06d087f267a6479420f549c9b020023af3b5f1e
- SSDEEP
  
  24576:a8dvIOVmW6AbPsArkueRKmV3sNlHfiqJy:aowONbkBuyKmBs74
Score

7^/10

discovery persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral7 behavioral8
- Target
  
  d5bce0b9b1bfbe56a03cf54d9beb1a2a2e485beccb72393148e209ae63fb8556.exe
- Size
  
  12.4MB
- MD5
  
  8da54daf75efab1bd1c80477c3920e05
- SHA1
  
  54a4db78f9c0c0fd7b6826033f145365a912b979
- SHA256
  
  d5bce0b9b1bfbe56a03cf54d9beb1a2a2e485beccb72393148e209ae63fb8556
- SHA512
  
  b5903307029bfee87b2a302a5d07f9972491ed4ed7055b8b17b41579f0d00924b8ac188fb89b73a7397fab1a22009b851e5cb87a2b424f920f34946cd7ceca11
- SSDEEP
  
  393216:xGg4aeGg4alGg4anGg4aPGg4aLGg4aYGg4aWGg4aEGg4au:5cNXPr2kyu
Score

10^/10

xred backdoor collection discovery execution persistence spyware stealer
- Xred
  Xred is backdoor written in Delphi.
  backdoor xred
- Xred family
  xred
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral10 behavioral9
- Target
  
  d5fc43e4e1fb229c3f946ac0417a0a630b0809b33a2f1bacc7b81f45006fbf1f.exe
- Size
  
  3.7MB
- MD5
  
  c137f197f6054c45d42b15e351f37b6c
- SHA1
  
  8851b3a6762d38b2bacf70b1bd021781f9fc9073
- SHA256
  
  d5fc43e4e1fb229c3f946ac0417a0a630b0809b33a2f1bacc7b81f45006fbf1f
- SHA512
  
  86512f988fe683812ac54b3baef7dada1dcc15f10bca8dff723f95e5993c42f3785f184e1ceb8d0e4da0773296c1140ec7cdd6f78121e5b0506d4adca015a45b
- SSDEEP
  
  98304:pIyDhDrglcYmUV2nG6fQeF05l9/wE8W1w9Gg:tDhDrglc4V27fG9/RF0
Score

1^/10
behavioral11 behavioral12
- Target
  
  d61876ddede62df51f22178f3f3810d3.exe
- Size
  
  1.1MB
- MD5
  
  d61876ddede62df51f22178f3f3810d3
- SHA1
  
  f61526c97f574e637c624293249c612894a3706e
- SHA256
  
  db703d6a45db327d773c77238bed0a9905bb2c2a049bd4467fc43ab0df12e735
- SHA512
  
  4b909d0c38361a5daa93b89c84182f48bb3f0352d72a40917700e0de83cd9ef7ae399487b50cb2bb44a1066aac91750b5aac44c2c681f20d4848f609800dbfa4
- SSDEEP
  
  12288:6mc4TfAkdN7TPPl2Eh8Nv6L1FMCubuoGTeh46qTnnCPQeB89hNuD1hOp1i3l10gR:6h4TbLUEhZL/GspeYhkc9Soh2SfwJ
Score

10^/10

dcrat defense_evasion execution infostealer persistence rat trojan
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Modifies WinLogon for persistence
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- UAC bypass
  defense_evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  defense_evasion trojan
- Drops file in System32 directory
behavioral13 behavioral14
- Target
  
  d61b23d4acf185dc6322a40c7f0f56e0.exe
- Size
  
  23KB
- MD5
  
  d61b23d4acf185dc6322a40c7f0f56e0
- SHA1
  
  90f6f4fa60866f3704511f12b6453e4104572336
- SHA256
  
  d7322f0f7be2eee421ed79fd2be0d8a01d38b0b8663b6c6a1eb29afe4d63f6e0
- SHA512
  
  a72d51948bae56df0bab442b5b8a8e04f8eba03cb102a9962cd5582830af157d961844d2918390dc1ee74fb6814996ccd76ba4ac23a57d0cd6a8c2db11562e86
- SSDEEP
  
  384:rweXCQIreJig/8Z7SS1fEBpng6tgL2IBPZVmRvR6JZlbw8hqIusZzZuf:MLq411eRpcnuf
Score

10^/10

njrat hacked defense_evasion discovery persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral15 behavioral16
- Target
  
  d690267038d2a718d56558e839b2613a.exe
- Size
  
  347KB
- MD5
  
  d690267038d2a718d56558e839b2613a
- SHA1
  
  24eb35483762da9cd99f113bc2252516a1806b76
- SHA256
  
  15b9622370397ba0679cdefe1a1eb00883c58a588f0d08cf825e89447bbb4b25
- SHA512
  
  aa2861ae8f02dea35b66f9f11c17ad5231fb5b20ac039dd3c4814abb7b5af7093eda4449c2ec9a34f1dccf658b2a359c591295af0901d0dbfaaa77b791347714
- SSDEEP
  
  6144:CCwHsJ+q0CwC40mb8411g49pPdMFMhITJfjjBMz8mvtUPHjEG0EILMTWhDQas9gA:QIx74VMFLT9RMz8AijEG0tLzhDQr9gTU
Score

8^/10

discovery persistence
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral17 behavioral18
- Target
  
  d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
- Size
  
  1.9MB
- MD5
  
  733112fa2d9d15aaff3659ea9e2d3b4c
- SHA1
  
  85a535c82f3f869fd52b0199b2ef4cbddb979c68
- SHA256
  
  d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c
- SHA512
  
  74b123f9717bc2a49ff9a814e441a54c4b2d9969ec30cbb692927bd10e93884237b6f8cbf87480bab76ec7835ee5661baa9d06e56887ac3ab530b366efe04c25
- SSDEEP
  
  24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD
Score

10^/10

defense_evasion execution trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- UAC bypass
  defense_evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Checks whether UAC is enabled
  defense_evasion trojan
behavioral19 behavioral20
- Target
  
  d6a9816b0df03fee5229e490ff3bfa2a016c0eeb9658b09fd6538a34e469579f.exe
- Size
  
  229KB
- MD5
  
  2cc497764f74c869c4d55e3ee4c39001
- SHA1
  
  33a1089a2ab525abd3a22ff7a15aa1ac1c528e51
- SHA256
  
  d6a9816b0df03fee5229e490ff3bfa2a016c0eeb9658b09fd6538a34e469579f
- SHA512
  
  c44611aa7016aa16ed81e7191341825ca112bc9a01172c3d92c5c00c4cadbd5fac9eaed3088bd8009ef1670766ac7d3258d1ce884220a1eb172653dd7ce6f566
- SSDEEP
  
  6144:oZSk3UNeXic2+Fdo4FmKsDf7cJMhssbw:aSk3HXiGvDfuf7mMhD8
Score

1^/10
behavioral21 behavioral22
- Target
  
  d6e2e288705c6ca37ed2968b4ff7e7ca.exe
- Size
  
  1.6MB
- MD5
  
  d6e2e288705c6ca37ed2968b4ff7e7ca
- SHA1
  
  8f716b10bcfbb3adde8630ac0b4753068d3acf3b
- SHA256
  
  9d2b3033c9a5a32d0f15fd62edf41ee48ae15b47db8b7e0ef3208e5e5a7a3bef
- SHA512
  
  164fc15637eb15d663a6e436203fb9982ee7a8a867c2653f9505434424011cf13cee96008bcd6c0fee1650e713ac5a3a6bfc3a74798bf56f661cbe1d2c612743
- SSDEEP
  
  24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE
Score

10^/10

dcrat execution infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral23 behavioral24
- Target
  
  d70550d5d46716704be759d325b3a8f0047905a4f170abe251491f13b3a563cd.exe
- Size
  
  479KB
- MD5
  
  4108be2ce5edfafd01d7d87b6a983817
- SHA1
  
  e2887d892933d40ec934f0ea9d4d656c3e55eba8
- SHA256
  
  d70550d5d46716704be759d325b3a8f0047905a4f170abe251491f13b3a563cd
- SHA512
  
  aaea28a7e6bf26102e699c1d0f0f6cb1cead9f035c0dd963596eb37bd2bbdb5c6f278de4cbd0e9aa9deee27f4927a67452083e4c77eb7ef878af1687bf05dbb0
- SSDEEP
  
  12288:aysT/34sSSbiLYStKT7yFPb2bNRKzsSWp:ar3OSbStKHIPbcNRKe
Score

10^/10

quasar spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
behavioral25 behavioral26
- Target
  
  d72c4b8c14b424737ffaaef76a9e591144b983e79322541f28ea06b4436e42db.exe
- Size
  
  369KB
- MD5
  
  b6c96e7e2111b5ee133675104824493c
- SHA1
  
  abf5259cbaf7e73721523719bee61a5586c47d21
- SHA256
  
  d72c4b8c14b424737ffaaef76a9e591144b983e79322541f28ea06b4436e42db
- SHA512
  
  3a4e395961ad70a806df4dd16ccac9ee6d692ffb4f7180c3409ad9dc8168c4f28f83b8201d3f2a7bde01f6bc820993881b85905e5768faf769a50649d1a096c0
- SSDEEP
  
  6144:2n6zJ4mHcCLCYTnWz79nWz7NYp6hYp6rvDLuimKkBREsVf+3Kg4:16m2QiQrfqREx4
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral27 behavioral28
- Target
  
  d735d6b2f34e9a7cd2604d3036ac8486.exe
- Size
  
  1.6MB
- MD5
  
  d735d6b2f34e9a7cd2604d3036ac8486
- SHA1
  
  a9573454a2ad6414594b5b0f8d69e2e82bae35d6
- SHA256
  
  c5fa332ed4a6180d87d8b8f63d024a740117ebc2dcacb4e314483013f68fe488
- SHA512
  
  d29023f2d896eb06e2e740423396a9fe17d91bd30f7ee2e8f3374cf73d947e8c761c1c48071ade640db2a597c8c17542b94950f57a05cc84bcf47147013eb9a1
- SSDEEP
  
  24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE
Score

10^/10

dcrat execution infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral29 behavioral30
- Target
  
  d7508b07903325957294ebdcb89bd5b3.exe
- Size
  
  1.1MB
- MD5
  
  d7508b07903325957294ebdcb89bd5b3
- SHA1
  
  b6280b6c5e4b601ba3182520eca834aecd1ae1fc
- SHA256
  
  4fe2546f5efe48febc2db59093ceef7b1c3db73e3b11ba026bfd8c4444b2af8e
- SHA512
  
  e79cd38b556481bd3da6fcde5e924c2c0161a7e26ba635d02f393a424cf675b63e61948c7162abc06c487ae661ff431062236327be9b68be90e6ace7bfd23808
- SSDEEP
  
  12288:p49I/nL8TnKZPVHR3E/bS2vkRNJLXseJQdErvNKj6SKm+eAIhu181d6rsPH:pngTKZ5RU/xG7zsEyEve6SZ+dIe8usv
Score

10^/10

dcrat defense_evasion execution infostealer persistence rat trojan
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- UAC bypass
  defense_evasion trojan
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  defense_evasion trojan
- Drops file in System32 directory
behavioral31 behavioral32