General
-
Target
archive_49.zip
-
Size
61.7MB
-
Sample
250322-g1pwzsy1dt
-
MD5
675f782437b47a4d46edb74ca9d25eb5
-
SHA1
dd5862121b58a22b2bfa1a059b47efd95333cec5
-
SHA256
f08d555b265bc840ef4d7904f37de7886b276d3b2f85180bb63b0e29445e02b1
-
SHA512
45da737a4fbe83605d8cc3620470667a611ea1ad929d4346368525c076a63ccfa96af3c501c5baae599852d5586794788f01bbdf20e6764fd7e68af16e5ff899
-
SSDEEP
1572864:eQKqZ5MAdDFpKlC/AhFGkAid4XuK0fV4Uz4vd:eQKWMvlC4HAjuK0iUG
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1352346667352981566/kdt6MwtwhQeu2wt9anJEyYfPPzxdek9fkQxOMxM-Ma8wuWES2UFMqVUq4KF65ON6Ni43
Extracted
asyncrat
1.0.7
Default
45.145.229.196:1414
DcRatMutex_qwqdanchun
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
xworm
5.0
83.147.240.230:7000
185.84.160.71:7000
CkCU8LEYJIr27QZj
-
Install_directory
%ProgramData%
-
install_file
RelTekAudio.exe
Extracted
njrat
im523
HacKed
pdf-cape.gl.at.ply.gg:6772
a35a8d92a6372d81aefe4a1dba0a5e14
-
reg_key
a35a8d92a6372d81aefe4a1dba0a5e14
-
splitter
|'|'|
Extracted
nanocore
1.2.2.0
hmm.serveirc.com:2012
9586223e-8567-41eb-82ce-d470eb696a89
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2016-07-25T03:46:58.673843236Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
2012
-
default_group
tfgvybhj
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
9586223e-8567-41eb-82ce-d470eb696a89
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
hmm.serveirc.com
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
asyncrat
0.4.9G
corporation.warzonedns.com:9341
480-28105c055659
-
delay
0
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
c7cf70e4f1b3a0683850a99c3f6fac8461ad028ec9f90c79eb209fa3b566e103.exe
-
Size
227KB
-
MD5
9eeb3d8007103e303076b4fcee1996bc
-
SHA1
8562c7a7b3229a24d48f4832801860bb8c51a991
-
SHA256
c7cf70e4f1b3a0683850a99c3f6fac8461ad028ec9f90c79eb209fa3b566e103
-
SHA512
930ea1f646cfaa053ce719f6917f70cc36eaa5b653fcb5c9681deaf84e7185c887a612a00de90ab6f1d4c748794dbef3d17e3db3056add08e5c9fac69490d71b
-
SSDEEP
3072:yXPJJDS8SMbeMyZPxEo5oVU4FtzDhFqdUOQSVRYmhncUbd9U2aLaAtvDpt0B3GKE:QDSy0iFt
Score1/10 -
-
-
Target
c7cf7f1583d461202a26e85770a8f15a8fd83a37d1f9d3a5ce8ee19a3b7efbdf.exe
-
Size
501KB
-
MD5
605a6c728123f89de95f07c0de449405
-
SHA1
4799e3da9e77ef8373d62619fbd8e24758c68447
-
SHA256
c7cf7f1583d461202a26e85770a8f15a8fd83a37d1f9d3a5ce8ee19a3b7efbdf
-
SHA512
b8b1acf34d7344135de42906c18ba8d1f3f2f7756abd722116a959025b1a7597a6fd4f8afb6ecec3718fd39be7422aa3eb353d4a7a689575e45e21f7d1727daf
-
SSDEEP
12288:AiVxM192qAJ06o59fMz/3XOMjLJdWaIc20Agnt:AeZYd59Ez/Ogb/IcWgt
Score3/10 -
-
-
Target
c7e0e2cc0be8b051458a1d381ce938a5916d17ca60fbe8b55c993d41be140aa4.exe
-
Size
231KB
-
MD5
bdce93cd17613821526bc6ca459ed2e9
-
SHA1
a5ac6f6aaec918ef84e4229a14f7fa5e22a3125a
-
SHA256
c7e0e2cc0be8b051458a1d381ce938a5916d17ca60fbe8b55c993d41be140aa4
-
SHA512
75f898555e2a3c82b87f94a6b0504869513309a7f386546b4b4f5c241fb311144eff19527e3fbbae38708189f28d28bb556a7441ecf7d8044cc382cc88cd6cb3
-
SSDEEP
6144:RloZMZrIkd8g+EtXHkv/iD4G17d5nsAvLOXZkQlz7b8e1mjGi:joZCL+EP8G17d5nsAvLOXZkQlTqr
Score10/10-
Detect Umbral payload
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Umbral family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
c82cf03dc74500d9c2a3451c0a01c7601f431b47003fe71220153f4734b83c94.exe
-
Size
253KB
-
MD5
531f32b0b7a7c0a138a56835276ae889
-
SHA1
5152606af335f21c367699fbba929e30b7807bba
-
SHA256
c82cf03dc74500d9c2a3451c0a01c7601f431b47003fe71220153f4734b83c94
-
SHA512
406ac01279015716258fb69346b2a0b8742092b0fd5647015bdb5c0beb60177eb8d36f46a31602237420d4a14fcf109d649d3216f5fb6e3cc512648f4a3b308f
-
SSDEEP
6144:sAn4iZBIlO3OgTZu79rSdEVNm48uu8673prl0IblOv/DCSd:sA4k2CudSdEVNm48uu8673prtbMvLCS
Score3/10 -
-
-
Target
c82e8ca52adaef2ad87a8f855739f4ec.exe
-
Size
637KB
-
MD5
c82e8ca52adaef2ad87a8f855739f4ec
-
SHA1
c4dc023de06c916b690bfc75dc04b9ab242c0555
-
SHA256
ece9e27b7d3fd951331214c27526ba698a379f22f5f2b9a3f5a18e08c3626f05
-
SHA512
313d9694e159f062f1d0118cfd38e0c1ef6a7a3a7883a11151998e69f119cae4096a1ab6daed739621203bc76a6c39e8d6262136a5cf9987cadf15555c722d2f
-
SSDEEP
12288:aew2EvVyjL0aMMMMMMMMMMMMMMMMMMZkzKdkuRMMMMMMMMMMMMMMMMMmd4Wv5O3m:7YaMMMMMMMMMMMMMMMMMMZkzKdkuRMMp
Score7/10-
Uses the VBS compiler for execution
-
-
-
Target
c855759c0f18039722a8c96ff1d7da64aa75aff9d72e254ae6a3f2de34c50428.exe
-
Size
1.9MB
-
MD5
8e079931976b660c64ddb79468d6075b
-
SHA1
e728c1b735c98351be645a68934edad1f52e09b3
-
SHA256
c855759c0f18039722a8c96ff1d7da64aa75aff9d72e254ae6a3f2de34c50428
-
SHA512
36e997cb6b10099db8271303d8b3f5fcb6166104720819afb2a257071e34dddb06d6f9178145680b4aa1712fa1e03d3ba9984cc900e6b42244bf2a3e3faa67e9
-
SSDEEP
24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Checks whether UAC is enabled
-
-
-
Target
c870e41803c86f574d467de03b94d3a5.exe
-
Size
1.6MB
-
MD5
c870e41803c86f574d467de03b94d3a5
-
SHA1
400b9e869b220989490c27fde0cfab9870cf5bc9
-
SHA256
f1967d6c082848ffbdf221a89f81eb9755ac78c924bd642ddab409969e81a37a
-
SHA512
9cc4b7d1d438a0a06acb3edd0fa0f9b1fb96ef291637bc6e146d0ece96225063d277eed8b8ce560b467d65df009a9b0d35f1bcf2448b2a58f098157d495bfe4a
-
SSDEEP
24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
-
-
Target
c888e1de25b9c34d74509d3ed5a918e1.exe
-
Size
885KB
-
MD5
c888e1de25b9c34d74509d3ed5a918e1
-
SHA1
61c0aa0c64a7142e1a7e1682993c97b72fc8deb3
-
SHA256
8cdc21ccbff31e8798a3581282fdb5007c33042221a3d2d64e6ce767e936b930
-
SHA512
eca2875bda3c49425b803cd2b21ef79cc0e693c32f3f8808148bff03670408b6eb561b9dd50de41eeb26008f294e492ab171c6afe97c50f9e51c2afb3187452c
-
SSDEEP
12288:0lNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:0lNCv6XJ5BClaXfD9vUha+u
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
-
-
Target
c8a241ce60ec6fd11993628cd54237d7a54831874afb79467ac1b52d6a236c9d.exe
-
Size
12.8MB
-
MD5
e40e579ecd424b59c6197c23dbd110e4
-
SHA1
97dad6b2543255ef86f28c7e18db3abc5c7d3c25
-
SHA256
c8a241ce60ec6fd11993628cd54237d7a54831874afb79467ac1b52d6a236c9d
-
SHA512
2162099f26ef8936efeb4b482bff6eb0e7f8ab4fe919634fbd7141fe469ae773c7586912919da4f759dedebd6455abf0f07cf02c73e7379c04eb0ce88f626f95
-
SSDEEP
393216:e9V7UKOzIkEiY3LiunQnPeQ9xoGGXl2dhDr4/J5bZOZ:UV7UKulrPeQ9qRAdhDre
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
-
-
Target
c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee.exe
-
Size
563KB
-
MD5
9d134d599e0c51fa5bb43572c9f01f58
-
SHA1
3783aa19e6a211eb295ea5148aa13853cf32ab7a
-
SHA256
c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee
-
SHA512
bae3246910321639519ca513b52c566424ab7a483cbd7cefd5c65b6483b188bf3b1495748ea67de9cae27862bb33d786e3b8979c3c5eb9682a154b64ca49f2fe
-
SSDEEP
6144:B3L2ItqTVSkKIufce6VlWT8b99ixkBg+1emkVUgaOMbNz390W:VLBHZI7PVle8XiYgDjCF95
Score10/10-
Modifies WinLogon for persistence
-
Event Triggered Execution: AppInit DLLs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
c8bdecaa93c4ace382df013284f7209d35750e0b3de6354b0ceeababbf192915.exe
-
Size
3.4MB
-
MD5
88e439eac66827c4f716dceee758dd6a
-
SHA1
78a36c0139a12c9783731ed759a1759cb39d088c
-
SHA256
c8bdecaa93c4ace382df013284f7209d35750e0b3de6354b0ceeababbf192915
-
SHA512
34150f368c8bf38b31da2d470723e7c1d15bce23436b607e4e4dcb78d9e275334ca415ead0263d96fca377f5add137d3557c70f367fdefb22b19c4404b15d375
-
SSDEEP
98304:qHJwTUdidsYBgmSsWDuZ+BBnpKVBKZGT:wJwTddsY+mSsWSZ26WZM
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
c8e7700ee69af8f70235a048b1b5b1e9.exe
-
Size
47KB
-
MD5
c8e7700ee69af8f70235a048b1b5b1e9
-
SHA1
c77e61822740dabc1fc1eb4a59d9eeaa0096372a
-
SHA256
2e0200339c1c69edbde054893cfb32022150467f985997cbc57d663144c5a296
-
SHA512
c99c6482d493679e73ecfdeae19ca5a0bf382c9c9c78bf4555600b18a9f322db554b6b5080be49bcd65479c0d1d646407d7380a8a81a9aa31a26b89880bc9406
-
SSDEEP
768:dOEuILWCKi+DiBtelDSN+iV08Ybygei3B4oN97vEgK/J9lZVc6KN:dOtmBtKDs4zb193nnkJ3ZVclN
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
-
-
Target
c91bc52cc51e01b3224c7a365654c1c5add7892e81432c964fd9fa8ac3c51e0c.exe
-
Size
163KB
-
MD5
25741d72df755eb931e032dc577c4410
-
SHA1
40db9d990ed4d52eee5075d21697ca695846573a
-
SHA256
c91bc52cc51e01b3224c7a365654c1c5add7892e81432c964fd9fa8ac3c51e0c
-
SHA512
a20ff5dd6c802038dea518a4cb3a8e3f8861d415f31f222efa85d30332e39e9794805d426ac7c48492aeaed0652cf3afd5f38e9f5f3f84060b0cc116ad016cc9
-
SSDEEP
3072:BmX9J/G8vbotyEtyHZhRJZkAifkgsAnEv9iJTVbOMlETU:BmXZMAhkAGsAEFixVbII
Score7/10-
Drops startup file
-
-
-
Target
c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
-
Size
1.6MB
-
MD5
3300bfaf9bf1b6c6ad8edd215d41f472
-
SHA1
410ca541b614b044273f9ce3be0aeb5eb185097a
-
SHA256
c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812
-
SHA512
c628e19818f92eb95e068fba254ce8be88a712cb28607034d99bb66352aa1640222b89412b26e1324862834f2d271db0432f338a9273707755e08c2bfff9deac
-
SSDEEP
24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
-
-
Target
c949630c94733e122dc321316d68ca1f.exe
-
Size
30.1MB
-
MD5
c949630c94733e122dc321316d68ca1f
-
SHA1
cd30c22e274de0149544d1889a4402c067daf212
-
SHA256
09455ae9bbc99b19bd191d6a1e8454dbf5d299e229e70520852dfa4b37905205
-
SHA512
902ad50640283fe67c3d05fc892c204eca0c79f9b1fb5952d11d25d3ec4a499b3de56c599b4a2e92203a5468ef51a983ff8dde333b8143cab1fe4828bccc78ea
-
SSDEEP
786432:4X9YkEvofjPaeA8NOqZWryVB41efzsB4si4inK+:SYkyWji4CkgP3Ex
Score7/10-
Deletes itself
-
Drops startup file
-
-
-
Target
c94fcbd3ca89723863a372a980b7dfcd5ee5ef7cd41042f6aaefd68e51f39ba9.exe
-
Size
273KB
-
MD5
fcff087eb0f783dd0aa6d6ade2fd9c2b
-
SHA1
0b041ce2961a1e1dccbeb734a008f22f391600cc
-
SHA256
c94fcbd3ca89723863a372a980b7dfcd5ee5ef7cd41042f6aaefd68e51f39ba9
-
SHA512
63a4d46a1565b86d7be5838c627e03d999f2cd35cabbed960b18ff4791a9410ea0fb8af1703a4a79703046ef86da6a9e765ad52676e4df506279d1a4351435d8
-
SSDEEP
3072:WdvzDqxs8ORikgogWfiuRXd3YmSffdTKXNXANewGBvskX1pWA/s8sdTP:WFzDqa86hV6uRRqX1evPlwAEdT
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1AppInit DLLs
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1AppInit DLLs
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1