Overview
overview
10Static
static
102695e9c340...f2.exe
windows7-x64
102695e9c340...f2.exe
windows10-2004-x64
1026988aa536...1a.exe
windows7-x64
1026988aa536...1a.exe
windows10-2004-x64
1026c11dac9d...ae.exe
windows7-x64
726c11dac9d...ae.exe
windows10-2004-x64
726cf08ffef...d4.exe
windows7-x64
1026cf08ffef...d4.exe
windows10-2004-x64
102731468d18...e0.exe
windows7-x64
102731468d18...e0.exe
windows10-2004-x64
102743ade13f...5f.exe
windows7-x64
102743ade13f...5f.exe
windows10-2004-x64
10275ed71ebe...da.exe
windows7-x64
7275ed71ebe...da.exe
windows10-2004-x64
1027603eafb6...aa.exe
windows7-x64
1027603eafb6...aa.exe
windows10-2004-x64
102774cc3c00...0f.exe
windows7-x64
102774cc3c00...0f.exe
windows10-2004-x64
10277de6643c...86.exe
windows7-x64
10277de6643c...86.exe
windows10-2004-x64
10279ceeb4db...19.exe
windows7-x64
10279ceeb4db...19.exe
windows10-2004-x64
10279dab20ac...0d.exe
windows7-x64
10279dab20ac...0d.exe
windows10-2004-x64
1027aa584234...04.exe
windows7-x64
1027aa584234...04.exe
windows10-2004-x64
1027b356f4e4...60.exe
windows7-x64
1027b356f4e4...60.exe
windows10-2004-x64
1027f2cdcc8e...20.exe
windows7-x64
1027f2cdcc8e...20.exe
windows10-2004-x64
1027f9837794...54.exe
windows7-x64
727f9837794...54.exe
windows10-2004-x64
10General
-
Target
archive_10.zip
-
Size
44.3MB
-
Sample
250322-gwfgrayzcx
-
MD5
327cd7e2f6679f46867d0e205d431a0b
-
SHA1
deb1c4adfc033e444be4df64771a8be96f933f78
-
SHA256
b8c5e2c8477706f3f54e152443718dcec270889002289aa1730eabc5ba3f312f
-
SHA512
9df171e9b1c0adbb814619b1b0aab80d94bb101767b41199f589294b96df6b083d5ac88b62b1c67d619afb3be0005ad0781a2931bf75617dd2a002b686f49b34
-
SSDEEP
786432:d//yxNPo+pxPeFhJi2EeHz06NFV6lgwOY1kkvPaukxh2GO2xvtMRe4jtwbFYn/fg:ZaZcJFF4lcAC0k4jtEW/fgiUdl
Static task
static1
Behavioral task
behavioral1
Sample
2695e9c3407b633d957cf77bb878f5f2.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2695e9c3407b633d957cf77bb878f5f2.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
26988aa536baefc2f8043cdb0d2e49e800d009b362f5cbd38692511fc5198f1a.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
26988aa536baefc2f8043cdb0d2e49e800d009b362f5cbd38692511fc5198f1a.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral5
Sample
26c11dac9dc4d37ddb0c44f4fba7be9fe1bf84f46cc3f369c46b099fbef02bae.exe
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
26c11dac9dc4d37ddb0c44f4fba7be9fe1bf84f46cc3f369c46b099fbef02bae.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral7
Sample
26cf08ffef5a40b6849f2afec99ac8d4.exe
Resource
win7-20250207-en
Behavioral task
behavioral8
Sample
26cf08ffef5a40b6849f2afec99ac8d4.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral9
Sample
2731468d18a92b65fce6a2c8a04538e0.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
2731468d18a92b65fce6a2c8a04538e0.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral11
Sample
2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral13
Sample
275ed71ebe32729141c2916b8abcca8763d60d2a4af82de387b9979a37495ada.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
275ed71ebe32729141c2916b8abcca8763d60d2a4af82de387b9979a37495ada.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral15
Sample
27603eafb6dd5000efc17b4d67e142aa.exe
Resource
win7-20241010-en
Behavioral task
behavioral16
Sample
27603eafb6dd5000efc17b4d67e142aa.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral17
Sample
2774cc3c0042f6c83a21daa4b7ea0d0f.exe
Resource
win7-20240729-en
Behavioral task
behavioral18
Sample
2774cc3c0042f6c83a21daa4b7ea0d0f.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral19
Sample
277de6643cae0dcc918de5342ba5f386.exe
Resource
win7-20250207-en
Behavioral task
behavioral20
Sample
277de6643cae0dcc918de5342ba5f386.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral21
Sample
279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral23
Sample
279dab20ac900bec30b0f1793b059f0d.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
279dab20ac900bec30b0f1793b059f0d.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral25
Sample
27aa584234053a57f89d2e393478ef04.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
27aa584234053a57f89d2e393478ef04.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral27
Sample
27b356f4e4551c76a9bd9011156ba560.exe
Resource
win7-20250207-en
Behavioral task
behavioral28
Sample
27b356f4e4551c76a9bd9011156ba560.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral29
Sample
27f2cdcc8ecc897dfe40d5af2b4122fc9a40843d60a0506a4a2d5044650a5f20.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
27f2cdcc8ecc897dfe40d5af2b4122fc9a40843d60a0506a4a2d5044650a5f20.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral31
Sample
27f98377943c5b084728d381bf46e854.exe
Resource
win7-20241023-en
Behavioral task
behavioral32
Sample
27f98377943c5b084728d381bf46e854.exe
Resource
win10v2004-20250314-en
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot7552210369:AAGOe83VIQXWkppjzFCQkkZxhmaRRArf0EQ/sendMessage?chat_id=7623088285
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
xworm
5.0
147.185.221.26:20448
PDnMp26nAxNNrxwQ
-
Install_directory
%AppData%
-
install_file
XClient.exe
Extracted
njrat
0.7d
tnakt fik
tnaktfik.ddns.net:1177
6ccf4ee47554289234f96881f6819ddb
-
reg_key
6ccf4ee47554289234f96881f6819ddb
-
splitter
|'|'|
Extracted
xworm
w-bridal.gl.at.ply.gg:48095
-
Install_directory
%Temp%
-
install_file
Sys32.exe
Extracted
umbral
https://discord.com/api/webhooks/1352290842009796729/G8yLk-T0sLJfX9oqfGwDEn679VpKN-s9_di6iL35v7J0EuZOmgrqGv_vPjXY_ihAjPfX
https://canary.discord.com/api/webhooks/1345453309598629928/2HBSdVwTGkqEcvX_fE2qpKGG7vtM8kFpFQOMzfDnYxxXjd0yqm3Ub9cKP8ZoD-miqv3n
Extracted
njrat
im523
Nursultan.exe
127.0.0.1:5552
351053b9b245fb5b8b34d4b6a63075b8
-
reg_key
351053b9b245fb5b8b34d4b6a63075b8
-
splitter
|'|'|
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Extracted
remcos
1.7 Pro
Host
systemcontrol.ddns.net:45000
systemcontrol2.ddns.net:45000
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
OfficeUpgrade.exe
-
copy_folder
OfficeUpgrade
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
true
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
Upgrader.dat
-
keylog_flag
false
-
keylog_folder
Upgrader
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
req_khauflaoyr
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
OfficeUpgrade
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
njrat
0.7d
neuf
doddyfire.linkpc.net:10000
e1a87040f2026369a233f9ae76301b7b
-
reg_key
e1a87040f2026369a233f9ae76301b7b
-
splitter
|'|'|
Extracted
vipkeylogger
Protocol: smtp- Host:
webmail.designhubconsult.com - Port:
587 - Username:
[email protected] - Password:
@BUx*#CGu1rt - Email To:
[email protected]
Extracted
nanocore
1.2.2.0
sysupdate24.ddns.net:45400
ae82ab7f-db07-49ee-9d2b-76075d76f37f
-
activate_away_mode
true
- backup_connection_host
- backup_dns_server
-
buffer_size
65535
-
build_time
2020-04-24T17:41:53.492468936Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
45400
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
ae82ab7f-db07-49ee-9d2b-76075d76f37f
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
sysupdate24.ddns.net
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
2695e9c3407b633d957cf77bb878f5f2.exe
-
Size
5.9MB
-
MD5
2695e9c3407b633d957cf77bb878f5f2
-
SHA1
ec0caded0b9a4b143a0e6793d21fdf4eccfa8484
-
SHA256
e4fd314579515e6065e60382d2f266607ba872608bb0c9e29a6fda8b9c702383
-
SHA512
b3eeb4d3f9744c8a0b8144e1b3253a1ef3644b331bee8900d9cfdb86d019303f3dca08ee3b2e620f6ef6829dd90d1b356a26ac58f016cbec655a35dd6474906f
-
SSDEEP
98304:xyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4l:xyeU11Rvqmu8TWKnF6N/1wg
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Checks whether UAC is enabled
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
26988aa536baefc2f8043cdb0d2e49e800d009b362f5cbd38692511fc5198f1a.exe
-
Size
256KB
-
MD5
f8711c1a5b36f91d9c58dd4f367e40d1
-
SHA1
750ee2c764fcdd0f6bd986eca9caa3795469d32a
-
SHA256
26988aa536baefc2f8043cdb0d2e49e800d009b362f5cbd38692511fc5198f1a
-
SHA512
e9cd3add054705913fa59e6ad01e583c24cc1319b8c592afa02cf289de68290359c22720a8c3970691a59a46eaf13eda88bc0a600ab654463fc60da36ea3ea3c
-
SSDEEP
6144:85p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ+q:EeGUA5YZazpXUmZhlq
-
Nanocore family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Suspicious use of SetThreadContext
-
-
-
Target
26c11dac9dc4d37ddb0c44f4fba7be9fe1bf84f46cc3f369c46b099fbef02bae.exe
-
Size
27.2MB
-
MD5
033e360ce118a4bdb0b816f7c68de8cf
-
SHA1
286a289a4e92105656ee1fcccac5e0814c0d24bc
-
SHA256
26c11dac9dc4d37ddb0c44f4fba7be9fe1bf84f46cc3f369c46b099fbef02bae
-
SHA512
786f1898f09d6eb643ddd04922ebf7f0e432cbd7cbe428325eeea1553a3f8f8fe29c8fa1223f8323f4dd84fa0d7d923fd496d892b918475c10eb915928f6ae70
-
SSDEEP
12288:nssssDsssssssssssssssssssssssssssssssssssssbsssssssssssssssssssD:/
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
26cf08ffef5a40b6849f2afec99ac8d4.exe
-
Size
175KB
-
MD5
26cf08ffef5a40b6849f2afec99ac8d4
-
SHA1
86c276b3569218b1f1cb9f490d4631017aa85c52
-
SHA256
ca0d16b1805984d77294ae4cbd3fc5c3c9d33cf60bc35d3c12e2b60245331521
-
SHA512
9b31ae192c6c0ed9b4fafc751212c94cd7f566e4d82191ab1dfb42a5d5ff57712972dca2449e3e6742e5aa306c33953b1c8f77c7d9b16f140fe78a6187028680
-
SSDEEP
3072:/e8oX8Sb5KcXrtkkXmf/bDsvqtU+lLToChAP0UZ0b2gT8fwAqE+Wpor:KXtb5KcXr7XmfgqtjhAxZ0b2p
-
Asyncrat family
-
StormKitty payload
-
Stormkitty family
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
-
-
Target
2731468d18a92b65fce6a2c8a04538e0.exe
-
Size
2.0MB
-
MD5
2731468d18a92b65fce6a2c8a04538e0
-
SHA1
1777e3398d8716138d84b29d66a9428d6b285766
-
SHA256
876eb243829a1a476315a159a2768ec07505d29aabc5234a0dcc877d8fa8d644
-
SHA512
deed4e0b686914b866144ef7d9ab190d21a2f430d338c666db6831e98301a10005c5128d3f082caeae05de94d24009a74dd8d81c1f64e0fd1c10d858d9a5aa72
-
SSDEEP
49152:brYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:bdxVJC9UqRzsu+8N
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
-
-
Target
2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe
-
Size
15.2MB
-
MD5
6d2849c0ff4b4cf3ef02f4fde0d92351
-
SHA1
1173bd4bd5c3c107ac9cb9b6b92379b85d0ace71
-
SHA256
2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f
-
SHA512
553b31e4c338239be5aca5b58722432c7e9cb7dfa96950952035a5f316f44127c4cec3978db80312b80196be319f0ca920a687204de3367a0a10d82728266743
-
SSDEEP
393216:LGg4aQGg4aDGg4aRGg4aTGg4akGg4auGg4awGg4aDGg4a1Gg4aPGg4at:r+zZDSsezdPt
-
Xred family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
275ed71ebe32729141c2916b8abcca8763d60d2a4af82de387b9979a37495ada.exe
-
Size
135KB
-
MD5
955370c2069f2a6d1e61acf033cea200
-
SHA1
d6b5e253980b7744802e5fe3c1d1b2b9ce0572b3
-
SHA256
275ed71ebe32729141c2916b8abcca8763d60d2a4af82de387b9979a37495ada
-
SHA512
373ceafa1a982eff2f0bf93c728f7e1fab4df393e600aa5bcb4939eae8ad7959713cda9fa22a379a507431d6c2ea9bbccb4f254fdac434ec4f0e3c7aa9b9387a
-
SSDEEP
1536:ITHiPBX4nDzMyRXGHrc9YRHqbTypgpmb5Q+ZReSdhk/J+YLgD3mrxb53cSuYQjK6:xPd4n/M+WLcilrpgGH/GwY87mVmIXt0Z
Score10/10-
Remcos family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
27603eafb6dd5000efc17b4d67e142aa.exe
-
Size
999KB
-
MD5
27603eafb6dd5000efc17b4d67e142aa
-
SHA1
bb6cfbad15876e4d37a7355618d6d29ab487245a
-
SHA256
cca55400b39ebc83a4b99277a47d4f83e0af9172b5f8008427ecab55d5c63f67
-
SHA512
b3aadec99d7c1fab9ded1efe5023537d6675fe16ef18bda9885722ca76cc008ba0676106c559300fbb412351a72aa9c959c524d049e794bd22fa1b418d592661
-
SSDEEP
12288:H9pLLk45WSSY1BX6f4bIS7rMNetPfC9Vs6IFGs0jxAqXj9xPSI0dzNgCoD7WX+Iu:H9pP5WS3lrMNyC9TJPCXBi
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
2774cc3c0042f6c83a21daa4b7ea0d0f.exe
-
Size
34KB
-
MD5
2774cc3c0042f6c83a21daa4b7ea0d0f
-
SHA1
02504384a948854d039399a1b95a295902e4f9d1
-
SHA256
1ff24ee66a68e8257f500d0432ea0b0905c7527d493927fec6c6b3fc7c0e6e31
-
SHA512
f7c3edbc702de77958c75e764e3d23f3fa8e4e99f921b0649b0b712ce06a1e5317f14eac0989930c3253d03e383e114f8759acf7450fd2222175198337284299
-
SSDEEP
768:FXHYasu0INg1C4C7V9FZ9jhWyOjhQ/cU:F3YtbBgzFZ9jhWyOjq0U
-
Detect Xworm Payload
-
Xworm family
-
Drops startup file
-
-
-
Target
277de6643cae0dcc918de5342ba5f386.exe
-
Size
23KB
-
MD5
277de6643cae0dcc918de5342ba5f386
-
SHA1
21ea2be08f0383e17920bc69e0ca8093e736f6ce
-
SHA256
034571fe3806bfc17dba77d5b97ee76375df0989a4462f72d79287b7231dd040
-
SHA512
ad17ff0df3b8d13dc17752ed4e7d66ff69a8d52207b0b6c860a4ec0cdaeeb775fc69bac4c5f27d8f89f48a96d0598420cd45149edb3ac10eb578f2299da41f5e
-
SSDEEP
384:/AQ+SAN7uprgvM5OSUswZXg6rgbm4hfpFmRvR6JZlbw8hqIusZzZVb:vOaxVUxRpcnue
-
Njrat family
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
-
Size
1.6MB
-
MD5
f088c5388663eeeed395b7263d1f4993
-
SHA1
698d5eaabf3b5ce145f89f810311a0b42dade120
-
SHA256
279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819
-
SHA512
c9d946db7a10abed675d764436f3af3482b5259589fa976758b28bcd7c5b380bde9e338783611cbc5925cfdabbe0c9ba930bdb85aec7e6190d935b678b5dbba6
-
SSDEEP
24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
-
-
Target
279dab20ac900bec30b0f1793b059f0d.exe
-
Size
885KB
-
MD5
279dab20ac900bec30b0f1793b059f0d
-
SHA1
746b709243322cebafc65da649e8b2a9955033b0
-
SHA256
035e4ad513f0cb3ac0e1ef6c550e753ba271cf1795721a84f019c877cc53bfe5
-
SHA512
5a02f8bef439ed12276e3e7fbbb0b405988289cb2958c33a26f22c5a21d28f0befa0cc5df26abf1e1a51a0a81d37f2da945cc22f48ebd20503e7987ec5265338
-
SSDEEP
12288:UlNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:UlNCv6XJ5BClaXfD9vUha+u
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
-
-
Target
27aa584234053a57f89d2e393478ef04.exe
-
Size
97KB
-
MD5
27aa584234053a57f89d2e393478ef04
-
SHA1
56969025047f74cd434cbb444de6ff3ce3a96cb5
-
SHA256
54ad65b8e1afd5bb9dbd5ad7b5c66eeb36461d9c814ec6854abcbd33959ff2a8
-
SHA512
fed56d5eda48e1738e6a45b78fe2278bfa8fbf8ee4cf8c2566efea51e38894f33c4899a5fff756a81b67ba69030b021a578c41df54432f282503cf9ed6f56401
-
SSDEEP
1536:MYxlY23kGwgMBUQGum2U8aVCguHEvQEbFeDVC3woFRKpTdeE:DlY23kg3sguGDFaXeE
-
Njrat family
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
27b356f4e4551c76a9bd9011156ba560.exe
-
Size
846KB
-
MD5
27b356f4e4551c76a9bd9011156ba560
-
SHA1
bc2cb4421dbfbe573db2a923bd0cf460e1bc7102
-
SHA256
3deb9bf412bb63728f56e63c25669fa7f615e89fdaf872c7f4345ca892b98cad
-
SHA512
bf497517e7d8d48da9a6562959354d71d9fcc08a8fb0430be0b437e6b4404e3d98a347255fc1f9e61f63f37ae238666ca3379e1b2301ddea06d2c360dd1d3d52
-
SSDEEP
12288:BdZnbEo7qAJSjwGlfaaZFo0b5UrEBauMYFjcaxjMJ51A/POFUI7U5GGXBu/647Q7:9bEiOwyaWXUluLFRxjM9AXdI7+Gku
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
27f2cdcc8ecc897dfe40d5af2b4122fc9a40843d60a0506a4a2d5044650a5f20.exe
-
Size
135KB
-
MD5
62e5ced86ccb25c5692dda3779968bbf
-
SHA1
5d329227cb51365c98b76fa301c7491064e37824
-
SHA256
27f2cdcc8ecc897dfe40d5af2b4122fc9a40843d60a0506a4a2d5044650a5f20
-
SHA512
1463b8b98848cb10d72e654ed2f872fedb9ae4fe394c1974d328c04b552937fcf8d4e33bf37fc324e726cff8e9ee3486b5bfc69d6edbb7199522736d3de11092
-
SSDEEP
1536:ITHiPBX4nDzMyRXGHrc9YRHqbTypgpmb5Q+ZReSdhk/J+YLgD3mrxb53cSuYQjKA:xPd4n/M+WLcilrpgGH/GwY87mVmIXQ
Score10/10-
Remcos family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
27f98377943c5b084728d381bf46e854.exe
-
Size
97KB
-
MD5
27f98377943c5b084728d381bf46e854
-
SHA1
9593940f427419dfd2adf4cd1ad4286826ff3845
-
SHA256
0a1bda6f7c5c6c9696164a73a94bd91a553333582082c08eb974d7b5aad215da
-
SHA512
1c9197b189fc3e1fdbccae8c847e96e2b3c44f5b2af93a0f8805735a55d4b65c106966db4cb0136c19e6d3118f75c5f6a3065e7fbb8a6fc7fa5d1d10f7ec9de7
-
SSDEEP
1536:18w4O/aH3jJ6tWOh1OErrUS652utcA6KmWoLPdCJ:183WWtErr7652zmuPd6
Score10/10-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Drops startup file
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
4Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2