asyncrat

Sharing

Copy URL

Twitter E-mail

General

Target

archive_61.zip
Size

23.2MB
Sample

250322-g2ywaay1fy
MD5

bf90b2e0b88eb02563c013b903940fc4
SHA1

cc5c0ff87124055c185058a285a331f5da792a6e
SHA256

4bcbb8983fe7425976c5a1789deff73fb138e80981f5ebfef1f835bcc6757760
SHA512

c36291747e8f802a94f4668893a387e9e560522d2c26f3c42add65e0b052693c7ed2c26cc9eee3cbbbbae00acc95d95c546b5c918810f170c7dde36f0858b280
SSDEEP

393216:ksNpRraBaHxVlDA8WOrT/n6aXpsxXdXZusNp0FpE5yhuAs7P6RsBC6hSyOMDv2:NlE8WOH//yxNpT0FpE5yQ37P6u86hLBy

Malware Config

Extracted

Family

asyncrat

Version

| nelsontriana980

Botnet

Default

pctrabajonuevo.casacam.net:6606

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

nanocore

Version

1.2.2.0

reftel.ddns.net:54984

127.0.0.1:54984

Mutex

11b132f1-b2d5-4bf6-9166-34aaf514d89a

Attributes

activate_away_mode
false
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-03-27T18:14:14.261066736Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
54984
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
11b132f1-b2d5-4bf6-9166-34aaf514d89a
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
reftel.ddns.net
primary_dns_server
8.8.8.8
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

mooonskj.ddns.net:5552

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

njrat

Version

im523

Botnet

HacKed

holyfuckingshit.zapto.org:1188

Mutex

dbaa10daaecc50e5048d51ecb95a01dd

Attributes

reg_key
dbaa10daaecc50e5048d51ecb95a01dd
splitter
|'|'|

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

127.0.0.1:4782

Mutex

64815557-7ace-4e24-8254-b4bfa76c68d0

Attributes

encryption_key
4C4CF51A01784F79888EFBAF8D36D0C89B0CFD16
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

asyncrat

Version

0.4.9G

corporation.warzonedns.com:9341

Mutex

480-28105c055659

Attributes

delay
0
install
false
install_folder
%AppData%

aes.plain

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
Boy12345#

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

systemcontrol.ddns.net:45000

systemcontrol2.ddns.net:45000

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
OfficeUpgrade.exe
copy_folder
OfficeUpgrade
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
Upgrader.dat
keylog_flag
false
keylog_folder
Upgrader
keylog_path
%AppData%
mouse_option
false
mutex
req_khauflaoyr
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
OfficeUpgrade
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

snakekeylogger

https://api.telegram.org/bot7810553983:AAF3uNmTjPchWZALCr5hfHzaUc2KfKr7BrQ/sendMessage?chat_id=8164035448

Targets

- Target
  
  f5ae5532f18462594d061ae3bdf732b5.exe
- Size
  
  2.0MB
- MD5
  
  f5ae5532f18462594d061ae3bdf732b5
- SHA1
  
  6461c47fabfa10d49f4c87c1e7685b81a2a402be
- SHA256
  
  afc02ea81470653fdfdfa402a5a8718a48617cefdfd811e95b9d0350b8bc9910
- SHA512
  
  81bde60db899576ff3be441021c522e3e14e89c019122fb2fbd4b9647adf19ef7a1f5059dd1b13ca58cc869b8c367bdec7bde3fc1c4729c7fdcb9b402a26c26c
- SSDEEP
  
  49152:TrYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:TdxVJC9UqRzsu+8N
Score

10^/10

dcrat infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
behavioral1 behavioral2
- Target
  
  f5cb51ffdb87e6d78da4a60b2a83a2c0.exe
- Size
  
  271KB
- MD5
  
  f5cb51ffdb87e6d78da4a60b2a83a2c0
- SHA1
  
  f707cebf3b837c0f5b7724f125a5eb5acf622e6b
- SHA256
  
  cc18af46043434e99591546067f4ac5c031656cc3493d80396c4eb461e2d6cc9
- SHA512
  
  883970f6caecb15195108d25014a5faeaf2a1ce3a0c3f888da7d51bee3ad57f95abdf55a14748e25af39d0697fab6c1ad9fd5958efc2cc14ea279e099baf0610
- SSDEEP
  
  3072:7aaXQh1zKfB0OZpbsxFqc9pI9sjBO1z+5X0uuMmk9b+3ZrQE8Ne5oKk3XsXMSrZS:7aaXMzUmOZoqEIaNOyEObyQEJ5o5eM
Score

10^/10

quasar discovery persistence spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral3 behavioral4
- Target
  
  f5ed1274646abc95fd8b87f43adcadbc.exe
- Size
  
  66KB
- MD5
  
  f5ed1274646abc95fd8b87f43adcadbc
- SHA1
  
  bdc83157a77066f75ae2285455428bdb95246f00
- SHA256
  
  dfc5e3435f8ce62c4ba623753f1e15d0311547b9c0276d34b4736f640be26330
- SHA512
  
  c8616cf6f6c586d3f9b99360ccc3243fc8708a91d7e0fd9df91bcaf644022a60c9c2529c5cd648a5fb5ea6c635c2c922e6ad90ae3741d304b533f139cd2554b3
- SSDEEP
  
  1536:a2wukvF1ak9gcKu5UYFwKMkb7UApZrPlTGZx:a2dkvF1ak9Ku5UYFwdkb7Bdax
Score

10^/10

asyncrat default discovery rat spyware stealer
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral5 behavioral6
- Target
  
  f62837f3bc66012b94d74cc471f3d97a.exe
- Size
  
  625KB
- MD5
  
  f62837f3bc66012b94d74cc471f3d97a
- SHA1
  
  9fa01c1c57bb1ec604771a796b4c36352552516f
- SHA256
  
  6831200eb1173e4bf699042b7b2e63e3582490981a55b20671724bb60cb0faa9
- SHA512
  
  de95cd3184e9f9d6931db60a6edd6e986eba3ae0c2e6308e65808aa6fbefd4d00f0d38a4305dc307d0217acdfe8fad165adf7a39d6f553eb53ff81abbb147b6a
- SSDEEP
  
  12288:jQn+P/KKZA6B0Ndprctmm0+xFLnLsoc/8uHlHXob3:W+P/0UWdomC/LnLsoc0uHdX
Score

10^/10

snakekeylogger collection discovery execution keylogger spyware stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Snakekeylogger family
  snakekeylogger
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral7 behavioral8
- Target
  
  f628fa20e85aaf1cc562cfd512392d3d12da2ef70adc31068f1e3d7f2b0a4f3b.exe
- Size
  
  273KB
- MD5
  
  3ef5f71fdec671a56a286ea1866bb640
- SHA1
  
  04e90d67cfb7cb470ea9e6d48f4fc765b0ddb472
- SHA256
  
  f628fa20e85aaf1cc562cfd512392d3d12da2ef70adc31068f1e3d7f2b0a4f3b
- SHA512
  
  5e724aef6ad8258cf23363911fb74780ff9b6cd469c0ba478d72de2d86b295ed63901e89a0a05466b2c9a7925244f6b02aef3ab9d06f325a1301eb3aedd431d2
- SSDEEP
  
  3072:WdvzDqxs8ORikgogWfiuRXd3YmSffdTKXNXANewGBvskX1pWA/s8sdT/u:WFzDqa86hV6uRRqX1evPlwAEdS
Score

10^/10

asyncrat discovery persistence rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral10 behavioral9
- Target
  
  f640f01e808f31a32d455a827fd646d5faf2a452b47833597990ffe9a6597ac5.exe
- Size
  
  373KB
- MD5
  
  1390a05960fe6acd3fd25279513346f0
- SHA1
  
  c65393f72d9e00c770ba3ef393701bc87e13b938
- SHA256
  
  f640f01e808f31a32d455a827fd646d5faf2a452b47833597990ffe9a6597ac5
- SHA512
  
  90c3d8d61687e3bccd9e6e15f6c5f3db6770471878b452f9a11874ea70391eac5639424fd3f4a03de7729d642355fb2e6e0c4e65e3e4765cb76111a7b2de5bcc
- SSDEEP
  
  6144:tyMIULPy/x3xUArN62f7GU7njrbma/3LaQURrM2TuP6zJcW:XDy/xhUAtf7tjrbma7OJxuSzp
Score

7^/10

discovery persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral11 behavioral12
- Target
  
  f66fa3036e662d8f7ccce8795fb8b907.exe
- Size
  
  154KB
- MD5
  
  f66fa3036e662d8f7ccce8795fb8b907
- SHA1
  
  6685873421123f46a8762802b835e2556ad8e5aa
- SHA256
  
  ada4cebb65e8b8b58ecee2c799394b5bad8fa4ebfd3ee7cf8f88c54b93e91b86
- SHA512
  
  49be39d868ab2f268230222e12fbff79ee561641c1b61becba21909a0bb0ce45acae75d55a238c8940484c3b2cf57547105de9247ff5bc9b9af8675cf8eedaff
- SSDEEP
  
  1536:2mZmg5zb02q/t6jOFvDO7slsF9PS24s+lSmSWQWOxzlAuT2oLkC1N5UbsGt3kcmF:JZmCb6ROF96zMq1yLAHtUcmKyN
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral13 behavioral14
- Target
  
  f68f044685639be03fd992bcb711c098d22b6d0f0043638768c726bf96049950.exe
- Size
  
  3.0MB
- MD5
  
  4d16429b31b10c20f707cd5289b2466c
- SHA1
  
  2d81797a275a1e4810e8c9d3c32ffca17adffc76
- SHA256
  
  f68f044685639be03fd992bcb711c098d22b6d0f0043638768c726bf96049950
- SHA512
  
  e69fa3608df519e26d5878f95c29132992e4c1a6744905d2256912d7c40aab11fe903575734a8952791d5898570c634e969b26a62b21bf978acac5878d9615d9
- SSDEEP
  
  49152:NMHHrIxRWPc3wDlRo4LZpsqDXUDBvFHOxoYj80VmXvqvIGg:N4H2RWPc3QlRzLTFDX6VFHOxjj89XvCy
Score

10^/10

discovery
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Downloads MZ/PE file
- Suspicious use of SetThreadContext
behavioral15 behavioral16
- Target
  
  f6ac1ea5c19284854998f25244a12f25.exe
- Size
  
  654KB
- MD5
  
  f6ac1ea5c19284854998f25244a12f25
- SHA1
  
  99fbd0be6020def40eedb33c453c9e516d39ddb4
- SHA256
  
  10478f3361a6cdb5ce48bf9490ea60505e90ef4f9649973ca35bdcf43af1f4b9
- SHA512
  
  b2415c9af9284eebc053ef56c82ad15043b713d38c6fca1cabdbeff0d726f9f956bf56655c60f0d6ec95ef5150e50da1a539cbef5502dd032399721a545badda
- SSDEEP
  
  12288:slGjIbKjk/x78IANpdqAUJeBrwwsRpIFgVXC0xi8/+b7LegZSv:uGcbKj+d0dzAZVXObfeoG
Score

8^/10

execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral17 behavioral18
- Target
  
  f6b79788476c3806befcdd2dead8231a.exe
- Size
  
  506KB
- MD5
  
  f6b79788476c3806befcdd2dead8231a
- SHA1
  
  56eba5da31c728dc287435a555e527b1a27cae37
- SHA256
  
  9c798b5cf50fd400ce59355b91a741ab5ccfcffdaedc50815981fa280f4776a9
- SHA512
  
  f46f9b568f3d0cb6b4e799a68a3d7defd4e35cbf3df59840d05e575e8580a0cd8e95a497b5f5b272c21fe4105264272d4b58c8bec211597bbcf2de099eab49f3
- SSDEEP
  
  1536:N4eK+IFjWfoPbuaTRM3nFkwHbaA3LL0idWwiQcmWkF7jV:G+IF6foPCaTRMXbaev0FQcmWkRV
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral19 behavioral20
- Target
  
  f6e297800457d823c0597e833d555135.exe
- Size
  
  78KB
- MD5
  
  f6e297800457d823c0597e833d555135
- SHA1
  
  bef99c4a2e1ad4c2c478f156089158cbc624f7d2
- SHA256
  
  da2a754ce56ec13af9f429d5dcd20ff88aadc429a1b0a74d68f217f87e31b42f
- SHA512
  
  69ae7dc2898887531ef8faa9740d56e6e40af3d0bafca4f2c78e4e4a37a643afa731985d9fbb9792ea61fd61927d043356a418be09b5ad1b48c73aec81af1790
- SSDEEP
  
  1536:7V5jSYLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtt6H9/0V1aj:7V5jS+E2EwR4uY41HyvYg9/0g
Score

10^/10

discovery persistence metamorpherrat rat stealer trojan
- MetamorpherRAT
  Metamorpherrat is a hacking tool that has been around for a while since 2013.
  trojan rat stealer metamorpherrat
- Metamorpherrat family
  metamorpherrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
behavioral21 behavioral22
- Target
  
  f721adec82fb8994517719b69e8aa337d4619879e64cbd2fd80fc4e190e22c71.exe
- Size
  
  859KB
- MD5
  
  b45837ebf5cd2f6e63284b8a8aa5a3f3
- SHA1
  
  fdf773448014f4c1453ee9e481e7c617cced06d7
- SHA256
  
  f721adec82fb8994517719b69e8aa337d4619879e64cbd2fd80fc4e190e22c71
- SHA512
  
  bdddd11c45e3c811ebdd23b1f9f490b2a59203f7a13b4caee9367946238144dd6812d55eef399cad9815b87f4b5a61e4d3018c6d9d7528a2493404e8a42c3c1f
- SSDEEP
  
  6144:NtT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3rT7a:P6u7+487IFjvelQypyfy7T7a
Score

10^/10

collection credential_access discovery persistence spyware stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral23 behavioral24
- Target
  
  f736c152b3d1812f1142ed0da99e0ac8.exe
- Size
  
  5.9MB
- MD5
  
  f736c152b3d1812f1142ed0da99e0ac8
- SHA1
  
  5df819dd9a3c73b64b33950ecfac1c690fa0f03d
- SHA256
  
  78acaa343a31b3474452e4deb58753f16b72e9ba9ec2f537fd7d7431f699c246
- SHA512
  
  a3b30acae19dfcb40089e64bab3dae770b1f26d0de54c90a288a280f06a7656cf1739304b1eae8b0d7c12f1bdcd81780bb6499770e255d37a940dc138496b041
- SSDEEP
  
  98304:hyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4X:hyeU11Rvqmu8TWKnF6N/1wC
Score

10^/10

dcrat defense_evasion execution infostealer rat trojan
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- UAC bypass
  defense_evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Checks whether UAC is enabled
  defense_evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral25 behavioral26
- Target
  
  f780377dd90d33c8280734d882fc2ac9.exe
- Size
  
  12KB
- MD5
  
  f780377dd90d33c8280734d882fc2ac9
- SHA1
  
  2ca8e1e97f1d9893389ea6f7505fe7c24924b387
- SHA256
  
  d44c91defb81890cb0045d3a612485a4db65c1f4e52ce405efa453b8a07229e7
- SHA512
  
  ffa397cbe485bef45d52cbe19527bd7e16d5fe3847e80844dbb45fe96effefb8f0c3cfdcfa9d164786a063d6bc74a38c99ec2bab132b3841caaefb72b26be643
- SSDEEP
  
  384:SL7li/2zcq2DcEQvdfcJKLTp/NK9xa4f:MYMZQ9c4f
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
behavioral27 behavioral28
- Target
  
  f7a96bf0830c5f7513d65086e0f7eb6679565b6ffdc6d1e325ee21303b38fec8.exe
- Size
  
  16.3MB
- MD5
  
  d32fe3fb50984221124e7fff0ac80a1a
- SHA1
  
  471d011cd362c6b27c2b5e8a031fe012a112a793
- SHA256
  
  f7a96bf0830c5f7513d65086e0f7eb6679565b6ffdc6d1e325ee21303b38fec8
- SHA512
  
  1168ce8efa4050bc761b7665c88dc19c74f3228ff1e5a4431091cde297ce962802d6010158f2be9b81812ea2a6bcaf85829106383fb1467efbde8ee177ec75b0
- SSDEEP
  
  6144:l0WD+E+QaLl/ymeKHhhkJgOY1/9qz9I3/BNmYEBbsJJutJOp:qVOOkJg3lOk/rm9+Ju/
Score

1^/10
behavioral29 behavioral30
- Target
  
  f812ad48d0a6d53611389e30fd8ae9f80a245fe3360b52dc833f6bf7b7b7859b.exe
- Size
  
  135KB
- MD5
  
  5269f6855d30bdd88ba0d88453c8e722
- SHA1
  
  d87ffc99e105315bebfef48296f6b0e6e87ae5cf
- SHA256
  
  f812ad48d0a6d53611389e30fd8ae9f80a245fe3360b52dc833f6bf7b7b7859b
- SHA512
  
  7ab21f5e7d7fd6bb2149b80582bc50711941bce8128c26d48710c8e9a60d3eff153ab3f39696451b1a946da052b3dd2a4de444b9bb9e6bdb884bcbe03f654819
- SSDEEP
  
  1536:ITHiPBX4nDzMyRXGHrc9YRHqbTypgpmb5Q+ZReSdhk/J+YLgD3mrxb53cSuYQjKE:xPd4n/M+WLcilrpgGH/GwY87mVmIXU
Score

10^/10

remcos host discovery persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral31 behavioral32