dcrat

Sharing

Copy URL

Twitter E-mail

General

Target

archive_44.zip
Size

76.0MB
Sample

250322-g1agasy1cx
MD5

18c22980ec2333d1f6f7379e660fbf50
SHA1

3ef0501fb2a55d29cb12337e61e359f889d5451a
SHA256

37393231ee6c2f1e4e81bb820867302f509abe5108d7e6eac891fe1ab4b66ca5
SHA512

b523bf1e9cf8137218fe31a2e4fc48394094da72a0a9dc92ebd02b1621550822b51520a7d947ed3e231e0b01d79d34fe91df1209cd1e08437aa94b6e36d151f6
SSDEEP

1572864:EBKCaUtrcCh6wfSg0LFo0GknoHVu1eBILsnKyjoTXn4jBcE9IJuvDBTJKQ63552:UaoThZjp0GeUIeikUXn41cEyUvDxJKQZ

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office01

185.231.252.213:4782

Mutex

83869558-8cdc-407f-8360-c60becc36814

Attributes

encryption_key
319FB675FBEF028D45A1B7802E958A563903B876
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
update
subdirectory
SubDir

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

basmtrke00.ddns.net:3973

Mutex

02c6a3ddc15acb52e13cb343da5f8619

Attributes

reg_key
02c6a3ddc15acb52e13cb343da5f8619
splitter
|'|'|

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

1.523.6342.54:4782

Mutex

4ea1f729-8980-4f1b-adc9-9454a6c89510

Attributes

encryption_key
6F5616F7DE99189DA1F7FA4AB4982DF3EAD0C9AC
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

njrat

Version

0.7d

Botnet

mes victimes

fortoriko.ddns.net:1177

Mutex

4dc41d8131b87f451d09b38822b8d7d8

Attributes

reg_key
4dc41d8131b87f451d09b38822b8d7d8
splitter
|'|'|

Extracted

Family

xworm

many-bolivia.gl.at.ply.gg:3891

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

sun-jpeg.gl.at.ply.gg:6021

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
Boy12345#

Extracted

Family

xworm

Version

5.0

bin12.ydns.eu:4050

bin14.ydns.eu:4050

kingsbkup1.ydns.eu:4050

smfcs1.ydns.eu:4050

smfcs3.ydns.eu:4050

Mutex

eFgRwYcigKCR8e0p

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  b4d16a23c4f84119b08271727b504dc277cc03929f4437c01640b9fe610474cd.exe
- Size
  
  613KB
- MD5
  
  cff20d9f7f76757b275b3a16d3049202
- SHA1
  
  7b5e6a7f2bcfbcf97d39959c23af64983192efbe
- SHA256
  
  b4d16a23c4f84119b08271727b504dc277cc03929f4437c01640b9fe610474cd
- SHA512
  
  cd11ab204f0aab8ac64a88686f99c49d1f8fa7d2f828bf2d5e0ead7fb80fde9fa4cd9e3a6b36fbe4ffb2baf7c1c6050f87fcfb057728a25e4868804483bb8bf7
- SSDEEP
  
  6144:5tT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3riT7:T6u7+487IFjvelQypyfy7iT7
Score

10^/10

collection credential_access discovery persistence spyware stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  b4eca0b7629d60f6cf396e664ca50add98b7376955d993c98d1399bab2da9ae1.exe
- Size
  
  1.7MB
- MD5
  
  5b07b7f9077f6ad7da2e4ecdbded266d
- SHA1
  
  2d9a86ee203bf5c07e7a8d523f38d72df15eea73
- SHA256
  
  b4eca0b7629d60f6cf396e664ca50add98b7376955d993c98d1399bab2da9ae1
- SHA512
  
  acc55be262e801a42d9bed0806e27ff555f86acd699831e115918a982316b6fb5feb46dd321c8305784d353a3a999b86dfb97f7142ccfab14e3d60b4b198baf6
- SSDEEP
  
  49152:mAjys7tNQJ/W2noaITYbNbNWo4kSH3OqtwI+mro:xjysHj8IT4bNJFY3Oqt
Score

1^/10
behavioral3 behavioral4
- Target
  
  b4f9f36ada3d9d3cf8af85679ea3a007.exe
- Size
  
  885KB
- MD5
  
  b4f9f36ada3d9d3cf8af85679ea3a007
- SHA1
  
  521a77168a7fd708991a4fd42c9057928f99eb2d
- SHA256
  
  4c40fe8d556366b3bed82a8bca55eebee2c93c9b880059ef3d9323af81ff2769
- SHA512
  
  483f516bc3ad4de0f98d0d321f5d53685c0099a21284a39471de9419cce2d412c0b96869c815a52d96c95cadb5f0edbbce55040f3eb3fe0f58cae14e2f76c0cf
- SSDEEP
  
  12288:0lNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:0lNCv6XJ5BClaXfD9vUha+u
Score

10^/10

dcrat infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Drops file in System32 directory
behavioral5 behavioral6
- Target
  
  b5002c08a1be3be44a14092d1eb62f69858b5e772df4f86e67339a2250c522bc.exe
- Size
  
  351KB
- MD5
  
  8bb974a955b5fe6ff74c775a1c3c7570
- SHA1
  
  bece48b62c2932ff93535cbeeb8d8a486e54f486
- SHA256
  
  b5002c08a1be3be44a14092d1eb62f69858b5e772df4f86e67339a2250c522bc
- SHA512
  
  7b93154b13a7f2c9c568acdeb659817f6fe05ced86eec930725032a9e588e56f6e2e062551586a03c14f57498428cb84e9dfd7ca45fc646b137db8cefc486204
- SSDEEP
  
  6144:YeC4EwZFoobUk8qp0qpgogZfpjkNaXiCEa4+G:8fhuLwflkaO
Score

10^/10

defense_evasion evasion execution trojan
- Modifies Windows Defender DisableAntiSpyware settings
  evasion trojan
- Modifies Windows Defender Real-time Protection settings
  defense_evasion trojan
- Modifies Windows Defender TamperProtection settings
  evasion trojan
- Stops running service(s)
  defense_evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  defense_evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral7 behavioral8
- Target
  
  b55e92f4a25bac9a1f90a8cf3d7ef9c91d1649598d692eb497d8fed1f20a97a6.exe
- Size
  
  3.1MB
- MD5
  
  87dfddb45995c73454ba66221a7d5ccb
- SHA1
  
  e19424b088d2bbadce97c09bb47274b0a903a0f1
- SHA256
  
  b55e92f4a25bac9a1f90a8cf3d7ef9c91d1649598d692eb497d8fed1f20a97a6
- SHA512
  
  ca836583e98785ade578648a721dd9e541c6a41ec2b72b92b7ba6af186000c4b224ea4a7a635f9a4dbd8e582932cd346ca9216c34b633818cbddec1bb04cfee2
- SSDEEP
  
  49152:mvFt62XlaSFNWPjljiFa2RoUYIsIxNESE0k/i1LoGduTHHB72eh2NT:mv362XlaSFNWPjljiFXRoUYIfxvN
Score

10^/10

quasar office01 spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
behavioral10 behavioral9
- Target
  
  b5687bfac89811969dd02dad17352b82.exe
- Size
  
  23KB
- MD5
  
  b5687bfac89811969dd02dad17352b82
- SHA1
  
  ff73a7fbc59f7526b3870a0671684892c95d5a8e
- SHA256
  
  0df1dba9c9dba4530afc0ccc8afce37ffaf3517dc361250f8ba95a3bde2858a9
- SHA512
  
  50587f37bd81bd78ba75941d8502b9f9e7fac562d2ea1a9c137b7c19e10bfe81e1759a38cca230f7f0e75489acb38174de0fddce777419911dba01ecdf482dd7
- SSDEEP
  
  384:Pc6ze6e1PAhJVzC3tC1im/BsTx46PgZ0rap9HBmRvR6JZlbw8hqIusZzZ0z:te9EJLN/yRpcnux
Score

10^/10

njrat hacked defense_evasion discovery persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral11 behavioral12
- Target
  
  b580ffe62d19e702d07e69a2f421a298.exe
- Size
  
  506KB
- MD5
  
  b580ffe62d19e702d07e69a2f421a298
- SHA1
  
  37592b4ea117b2c3d84ce09abae69d5f7c5d67f8
- SHA256
  
  4eb1993ce579eba3003f54035f826740b7a7eb0a2e2e3162e462f7d522735c2a
- SHA512
  
  5b2ae5c8a86f3e9b0f901f73cdceb4e2b993a615d25ad9300815b526f4ce25e8b6ec453925450a72486c00033aaf4f2092a78d2baee297e18718957d76611bc4
- SSDEEP
  
  6144:Aj2U/H3SACBa5FLFNSmjOvTe4ifmDCFPQLw5bIDN830wS7RHFABVP779VXi:NU/H3SACBiuSxmDCFPQkeSrSwV
Score

7^/10

spyware stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral13 behavioral14
- Target
  
  b599b9b1d6311136ef7c416782fdd16f.exe
- Size
  
  98KB
- MD5
  
  b599b9b1d6311136ef7c416782fdd16f
- SHA1
  
  1f1ea79e72a003c554ffa97b6bbefb5c2a457487
- SHA256
  
  8098c40545788f51d9255f9ec41960947cb8e42a4d297b89ae0ab4cee1145fb6
- SHA512
  
  ebb64eb53ae392ca6369143a0786ee0edea0820c86cc535a1ce7b85435bf436a12555a8c0cd5b3bef976f786e0acfe0a3a4b8507faadcfa4179344f9000ea7e0
- SSDEEP
  
  1536:nBhsKza/PGfvoqV0t+fDVBAeR1os2tSBQKSypTmRrlcm9xML53HW:5Mqit+f331GRKm4t53W
Score

10^/10

discovery xworm rat trojan
- Detect Xworm Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Drops startup file
- Suspicious use of SetThreadContext
behavioral15 behavioral16
- Target
  
  b5ac1858b7313eca6ad65f6506620f1a.exe
- Size
  
  40.3MB
- MD5
  
  b5ac1858b7313eca6ad65f6506620f1a
- SHA1
  
  3b28ac50e965f2c56135616d0f52d5ccd9213c2e
- SHA256
  
  f214918bf7299ec08409db0c5c459d27a88edcc0252852a319f9988ef2970cc4
- SHA512
  
  ff23da07018e0e13dc85de8240c6ebfa3f06ccd1f75f4389d488b20097594e794d4f809db81ea3352e3743b87a5ca9ba253f5a23b0ee184d0c353c3c58c96e4d
- SSDEEP
  
  786432:cgCamkV/mkVeOO/nekao+GbQUAJ+kfCxGyLwbJ4LUMsQF9zmt37vDI7kot4+5:cgsEeEeORkao+GbQJEkfCQ00JuUFgo9w
Score

5^/10

discovery upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral17 behavioral18
- Target
  
  b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
- Size
  
  530KB
- MD5
  
  64aa30b5594ae016414dda4be0aee3f1
- SHA1
  
  488e5b6b086d9898a74fc8d01d0cebd1f6f38a64
- SHA256
  
  b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174
- SHA512
  
  950c4f67f7e631d685bd452a75ffb1925a95e02e8e8fb730b59fc8e65639c6edde919069f86ea12c565bbe4eecc1f82fb35e8107e889fb567a7537de80a5ad48
- SSDEEP
  
  6144:LyIqmGLgf01enzg6aoUN5Fe6VlWT8b96cfHJ9qFYNF/PHW2DGbDeY6Odn2:GBd58ziPFPVle8ompIuFX22DSz6Odn2
Score

10^/10

persistence privilege_escalation
- Modifies WinLogon for persistence
  persistence
- Event Triggered Execution: AppInit DLLs
  Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
  persistence privilege_escalation
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral19 behavioral20
- Target
  
  b67576c827f1d682c6863ee2e1b096afb845073be33737653fa7754565634ce2.exe
- Size
  
  2.0MB
- MD5
  
  0cbc827f7d03ed491133ba7ff385203a
- SHA1
  
  e906b5866068fe897685b859e19f802b6c8c079d
- SHA256
  
  b67576c827f1d682c6863ee2e1b096afb845073be33737653fa7754565634ce2
- SHA512
  
  80cfc938aeec5181800225876f937dbc17281bfa19f6155cd09e7f3621bdab4619a5178d2d14e0756f425bcc154a68fb531f27fa3d29a6b289ddda12b19ab7e0
- SSDEEP
  
  49152:brYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:bdxVJC9UqRzsu+8N
Score

10^/10

dcrat infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
behavioral21 behavioral22
- Target
  
  b68768d198b634640052e1541b761c4940795292cb1bc0cd4349a7c9d1292da8.exe
- Size
  
  538KB
- MD5
  
  d8de404bce08eb0f72be61226f714792
- SHA1
  
  bc703b8c717b51da28cba692bde6aae39c79f814
- SHA256
  
  b68768d198b634640052e1541b761c4940795292cb1bc0cd4349a7c9d1292da8
- SHA512
  
  e539e83bb1a0bfbba1ebc77c031d666754282d05dfa4a4aa8cabb1cfb0c85a689905446210463da86dc772d165440315d5e05cf77e1428a5c8a2dfd533a67915
- SSDEEP
  
  12288:qEsZ/xlloFaTwSc1fVhSOMC+rxHfoT+gmmFApAEGw26eG3ckR:qZZHl9a1fTPdMQT+pwvw2613r
Score

7^/10

collection discovery spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral23 behavioral24
- Target
  
  b6982d011a327e88728cfc8b6305503b.exe
- Size
  
  999KB
- MD5
  
  b6982d011a327e88728cfc8b6305503b
- SHA1
  
  062fa217e9e470a4519cf52317103cebe8df8d20
- SHA256
  
  219bf63bcfc9f321c2a5c0ca3aca0e5dfff80d7dd75537ebf2e7df9aac879ec1
- SHA512
  
  32523771889fa8ad9bba0b0a4537ec8794b29a4ef68d3084e3886162bb2fdefd8251924a042bad7b5b28ef14b08aa3b81478195530c6875e78878c7355bee910
- SSDEEP
  
  12288:H9pLLk45WSSY1BX6f4bIS7rMNetPfC9Vs6IFGs0jxAqXj9xPSI0dzNgCoD7WX+Iu:H9pP5WS3lrMNyC9TJPCXBi
Score

10^/10

dcrat infostealer persistence rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Modifies WinLogon for persistence
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral25 behavioral26
- Target
  
  b6b7f4db83367b212cbd15bcfaa2eacc.exe
- Size
  
  3.3MB
- MD5
  
  b6b7f4db83367b212cbd15bcfaa2eacc
- SHA1
  
  f44e6d8345d664c388af181718776c17c7c85551
- SHA256
  
  e66f77f1b0cf350056c07ee5045b8c97a8162ba319be8428ab955a2f76b35ce7
- SHA512
  
  fe1b792ae2b373b119f553bb4f8897d4b053fc542b491e070e255e2688add337ce92771c1920ad1c7f275c9eb191e80041b030f163ccb1da050a1f6bc05e8a73
- SSDEEP
  
  49152:BbFjywHPqW+6pFTfcwqPvPL1CBRbOiLpaNjXlKDOERym84ED0n:JF2wSh63flkvPL1CBRbhLkoqVmp
Score

3^/10

discovery
behavioral27 behavioral28
- Target
  
  b6baedc86ebdd4c9c3cc812f509f777b.exe
- Size
  
  999KB
- MD5
  
  b6baedc86ebdd4c9c3cc812f509f777b
- SHA1
  
  1dfd321978faba568b114ef07a663e799899b0c4
- SHA256
  
  7197f07c5612e994e7f66a40975e6ebc328847ab957ba0c84625e1c9f4543c69
- SHA512
  
  6b292e829209cfc6e2f7c7cd2c4afc4ce77cd36042e9af9494ad934f1ff840f7050511c09a54fcf9b4e2fafd27492ae7ba295bf8783e4158ed369b4c20440aa1
- SSDEEP
  
  12288:H9pLLk45WSSY1BX6f4bIS7rMNetPfC9Vs6IFGs0jxAqXj9xPSI0dzNgCoD7WX+Iu:H9pP5WS3lrMNyC9TJPCXBi
Score

10^/10

dcrat infostealer persistence rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Modifies WinLogon for persistence
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral29 behavioral30
- Target
  
  b6cd4cbecbd20d06768408f952a13721fb22fdbeca097913deeebe41a41b3ae2.exe
- Size
  
  3.1MB
- MD5
  
  7bb322724d054ab41dbd6cdd7c1cee0d
- SHA1
  
  0ecc58c184035f0edb3e0a931b0d58b45b33efa7
- SHA256
  
  b6cd4cbecbd20d06768408f952a13721fb22fdbeca097913deeebe41a41b3ae2
- SHA512
  
  ac49627d1f0334b0abc1187b3dd5e0eb55617d13b3f82aff9fb9dac22f1b90a80458831d444de5415653faae762488d8b9f5cb797ad4434eaf2e23e3ac65e8d0
- SSDEEP
  
  49152:PvHI22SsaNYfdPBldt698dBcjHqxPEak0k/LCqoGdqpTHHB72eh2NT:Pvo22SsaNYfdPBldt6+dBcjHqxsHa
Score

10^/10

quasar office04 discovery spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral31 behavioral32