dcrat

Sharing

Copy URL

Twitter E-mail

General

Target

archive_23.zip
Size

40.4MB
Sample

250322-gxstgatjw7
MD5

7cb3d59cc2424da354398032f22fdb86
SHA1

6237fddf1052309868ad72e6ccac4ebfa1254d2a
SHA256

b9cae0739fc6daee051551b3e1dfabd39db41c2996f3a905254a71def555ba36
SHA512

780799f3abb8a5d169d2e27f2bb083c22d2b0976c1a70f5b3009f5f7d30a265e9d1f7cb63c206a0da0133e33f769b3b6f1a923b40b0e0020b58b2572de2a5589
SSDEEP

786432:BsjaOAUUnp7NRa6ujrcruv248VadijHP2OgyQ37ElCI6u1TGXT:CjoUWzkjrcyWmOzQYlvtGXT

Malware Config

Extracted

Family

xworm

https://pastebin.com/raw/DfF7GpwD:123456789

Attributes

Install_directory
%LocalAppData%
install_file
svchost.exe
pastebin_url
https://pastebin.com/raw/DfF7GpwD

Extracted

Family

discordrat

Attributes

discord_token
MTM1MjA1NzMyNDc3NjE5NDA2OA.G42d3M.lPgGGTTkVtqnMENPX_QaLq5UCf1wXmylAYB_Nk
server_id
1352056934202740847

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

xpalhack.ddns.net:107

Mutex

7716eb875d4bae48da108d24c4ab3b3e

Attributes

reg_key
7716eb875d4bae48da108d24c4ab3b3e
splitter
|'|'|

Extracted

Family

umbral

https://discord.com/api/webhooks/1352346950175031327/zuvca-7DEQWkYkNjPuRnB2ni-m70o0O2RwaCIjQ4ez0DbQuXvfvdl9TeL4VkGVbBj2NE

Extracted

Family

njrat

Botnet

Hacked By HiDDen PerSOn

Mutex

3b21b5f7698774d914e6e65e2cfd9163

Attributes

reg_key
3b21b5f7698774d914e6e65e2cfd9163

Extracted

Family

quasar

Version

1.4.1

Botnet

weeks-ranger.gl.at.ply.gg:42339

Mutex

4e2597cd-e816-491b-9d41-58f0cd2d27dd

Attributes

encryption_key
E6C5ACEED74B9D3002C954D5485EC4199651D88E
install_name
NvidiaChip.exe
log_directory
Keylogs
reconnect_delay
3000
startup_key
NvidiaChip
subdirectory
NvidiaClient

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
Boy12345#

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Targets

- Target
  
  5f039af1a66a3a9d97e5a98931ecadfa8190980e54a6b78f09df47faa4615d91.exe
- Size
  
  7.9MB
- MD5
  
  da1364870c95f396ea84ac60afdab146
- SHA1
  
  d5e023d34954e0d7e32575cf79049a7c64688456
- SHA256
  
  5f039af1a66a3a9d97e5a98931ecadfa8190980e54a6b78f09df47faa4615d91
- SHA512
  
  b6a8827705fda917b0ef6297d37979799f7ca29e9236381b57a7f6bd95b7ede836efa8056851f260706796caf3d6b6d910326fbee209aa85ab5986bdb2f9d536
- SSDEEP
  
  196608:M9sGLbd7rEWWn87E3QeotSqrG8YqcIXcZZB2:MmqbhrEbn87eZsFmq+6
Score

7^/10
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2
- Target
  
  5f176e85cdd34cea58805cd7efb202160ffa0f2e5589dd1b024ce9f6e3019429.exe
- Size
  
  1.6MB
- MD5
  
  1145f23be1c1ceaba1ff7fbe0b80af2b
- SHA1
  
  1a379b9c481a57c905908612408d2cef91eba351
- SHA256
  
  5f176e85cdd34cea58805cd7efb202160ffa0f2e5589dd1b024ce9f6e3019429
- SHA512
  
  b8e6e29725c6bd0badf55a856676671ddd74e8c3ebdd0173e7dab51b408fc38f8268be74c375f400deb343bf3b838677a98b0594479686293fac9634ce89af37
- SSDEEP
  
  49152:2q1UW2zC49YXX6O8RsdMWjDwlHxJuOcx1V:2q1K9YXX788M8wlRRcxP
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  5f59a08b97977550e9802195da378d29eb90021b8759f9e865592f8b50cc51d7.exe
- Size
  
  2.0MB
- MD5
  
  c440451f4bf1c44f534b537e35944991
- SHA1
  
  dabe3ed1eb06f67841a923098985231b9c1daa7b
- SHA256
  
  5f59a08b97977550e9802195da378d29eb90021b8759f9e865592f8b50cc51d7
- SHA512
  
  b9bd0c732e4c231220a7721374ac2c9ca95b4235bffefbeb085e457a18b3e804883551f062163099f7c9c44fa688d6240d01c3244e57d00d423f596b914c760c
- SSDEEP
  
  49152:7rYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:7dxVJC9UqRzsu+8N
Score

10^/10

dcrat infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
behavioral5 behavioral6
- Target
  
  5f6bf8650715fe3f914b7e24cf572b85fd753d68054c98c36360b67bfa518add.exe
- Size
  
  626KB
- MD5
  
  b675f5607efc77d45aac893264dd601c
- SHA1
  
  6d6d0a2f7bc9d1df99275894d9e455d70da689d1
- SHA256
  
  5f6bf8650715fe3f914b7e24cf572b85fd753d68054c98c36360b67bfa518add
- SHA512
  
  5e74b0c975173351c0c9b4cd49283adfd57e38b768dcbf03f82d30c5f9c1ada0b6e70b97d26a6787bd15f43ae802d5b2f4394123bf4445378a7351dd335b5211
- SSDEEP
  
  12288:wTAALVma8Vk2WbYq5qL7Lp4SKpRUzfBI4xa7iKX:mVma72z9KY7BID7iK
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral7 behavioral8
- Target
  
  5f7cc3cf60f06f621252e35221b7475f34ca6bf1a570758ef048b4e74b61327b.exe
- Size
  
  3.3MB
- MD5
  
  a6b4d6ff1ddf9867a5ed814cab2cd7ac
- SHA1
  
  2e1da71c8b747181d0876009d4caba1fe336e085
- SHA256
  
  5f7cc3cf60f06f621252e35221b7475f34ca6bf1a570758ef048b4e74b61327b
- SHA512
  
  17c5f8ce6ed6f2f3519eae5bea4b7cf6fa78575ed3cd1cc09388ebb44d611c0d63535da2f1b7d5e975d03d01525d45b2890bb7f13d53843086a17cf2926bde34
- SSDEEP
  
  98304:6RS6nfSOQZOt+CW+7EELhF3gxpNOf2k2Y/Fauf:6kj8NBFwxpNOuk20auf
Score

8^/10

defense_evasion execution spyware stealer
- Stops running service(s)
  defense_evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral10 behavioral9
- Target
  
  5f9e5801114ebb85eeb7e7043704cdab.exe
- Size
  
  13.1MB
- MD5
  
  5f9e5801114ebb85eeb7e7043704cdab
- SHA1
  
  386ecdaeccb2f5fa1f41d2ffb21a6c07333b737c
- SHA256
  
  6c0a0949de63ddfebedb5432edca535364730f6c28790f457e17a2b78510cab4
- SHA512
  
  4f87a796eedc26fabb13d9b34bd76f5520af8367b74b486332c7f377837adda06cb479e67e3e9716e00a7752a5ab47d59e18ebab0898bd0e5e943e1bf1b49bb2
- SSDEEP
  
  196608:6d58/BAe1d4ihvy85JSkLmj/yMpoH+VvqlL1kehn4iRAxAnf38:ByISkqj/yMm+VvsRka4iuxKfM
Score

1^/10
behavioral11 behavioral12
- Target
  
  5fb355ac6b26e9e1c1ccd07879918440f4ecd70fb341dafb8419acddbfe0a933.exe
- Size
  
  1.1MB
- MD5
  
  e19098a4c57ef44739d98eba8287775a
- SHA1
  
  7ec472dca2ba9b6c3976f314ba869834d1972d41
- SHA256
  
  5fb355ac6b26e9e1c1ccd07879918440f4ecd70fb341dafb8419acddbfe0a933
- SHA512
  
  8eb9f5c8bded5f4a7f97f7a415777f1e99dc8c92829ba45f7b55d0677bb271ac8397904944e859cfe30d9fa1cd17ba906e81faecce215409468e83098b31d2cd
- SSDEEP
  
  12288:jz7IFjvelQypyfy7z6u7+4DvbMUsIGoY2hn:jz0FfMz6TEbMUskLn
Score

10^/10

collection credential_access discovery persistence spyware stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral13 behavioral14
- Target
  
  5fbe4073ad9c39dd8a8e295e7569d5bc.exe
- Size
  
  44KB
- MD5
  
  5fbe4073ad9c39dd8a8e295e7569d5bc
- SHA1
  
  8b248e389edb3e4aa8badee94860018270dd207b
- SHA256
  
  14c2d70a5ee84f4df102ee1c8d8814547cd6f577394ba7187bb20612aca8325d
- SHA512
  
  b62ce78d3b24907ad7bd14a1239a0ea7e961bd464c36431f9d2a63fba251c40fd074b9da25f75efa082df0eb93df78042c4f2ab64d83ee44a50609bc2e10c883
- SSDEEP
  
  768:N8w8kJep21xEHUPr4cppEckkRvObyC0wPBpi+911wZYBxkD:N8IBEH9ym6hOblnPB59bwax8
Score

1^/10
behavioral15 behavioral16
- Target
  
  6025a03430599ee8e8561987af97f145.exe
- Size
  
  78KB
- MD5
  
  6025a03430599ee8e8561987af97f145
- SHA1
  
  9ab43188bd8054f0bce0891a13b2387a79afc1b3
- SHA256
  
  40109b15ee4560f27cafb2329d4301b1c7e752580cc96390c2d335b65f5d57c6
- SHA512
  
  d247be89db096e74139333f5157be98801258e7cbee0dbd9d42cc4307a8dcd3f358c58886abb9e33958a1cead3e4c51d2c2a056f224e2235b83197df149f1c7c
- SSDEEP
  
  1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+kPIC:5Zv5PDwbjNrmAE+4IC
Score

10^/10

discordrat persistence rat rootkit stealer
- Discord RAT
  A RAT written in C# using Discord as a C2.
  stealer rootkit rat persistence discordrat
- Discordrat family
  discordrat
- Legitimate hosting services abused for malware hosting/C2
behavioral17 behavioral18
- Target
  
  603d00b49e0ee1b9c5022174ab248b6c.exe
- Size
  
  18KB
- MD5
  
  603d00b49e0ee1b9c5022174ab248b6c
- SHA1
  
  fd93a10b32cced522ca6274f781066a9fab8af17
- SHA256
  
  8d19be51751f0c459874ae1dc1be93fb7e667bc916f5b11eeb67943b479cb0e9
- SHA512
  
  226f971bb04ba4f0548ad207a308567a5dc7ee1aea5ff933e020e457c38e53a7c8c899e8cd036060c4f1aca7e157c6d076c22422f318cd626b323e558e57f865
- SSDEEP
  
  384:6d+cgTYymL0Tybt/yLp3Ejf0TgShmWTkK6aHv+P:qpxwTyBcEjylTA
Score

1^/10
behavioral19 behavioral20
- Target
  
  605e7762c4bed0a303155d062623280ed30b91c4fccd870f34d5dc760c9b610f.exe
- Size
  
  2.0MB
- MD5
  
  79002fb8b8434e10c9e9e8b5d1594471
- SHA1
  
  ad7aaf3b95c639540b27695300f9afe3f0a4c64e
- SHA256
  
  605e7762c4bed0a303155d062623280ed30b91c4fccd870f34d5dc760c9b610f
- SHA512
  
  9699981d9a72883db3dd0fd73885b21dec065ca2157be465df99b159dca28e346f9ef73f0f154fabe2d4667e6b02e7ae1df58547ed4d15c532bf215bbffc3ad9
- SSDEEP
  
  49152:jrYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:jdxVJC9UqRzsu+8N
Score

10^/10

dcrat infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
behavioral21 behavioral22
- Target
  
  6062c88bd655b72adfaa8b8fb95d56c6.exe
- Size
  
  28KB
- MD5
  
  6062c88bd655b72adfaa8b8fb95d56c6
- SHA1
  
  5bb7960154a50f23da19dae33955daf14b569e65
- SHA256
  
  c1c091908a719aca66bb7853c4ac1c39b17ceefa279cb8d1261e70c593fa97e5
- SHA512
  
  5f5f38ca0704f5e8029daa56321af9d6e4d2ea4dd086b194aebbbb01a2cb8d8df8e52b90e9781cd1c9f387a561b91a2a6ff7522873051906b66bab3e49a9f90c
- SSDEEP
  
  384:2gJGJl7tj1Msagab1h5Vh+2CWmqDebD59ePbGBsbh0w4wlAokw9OhgOL1vYRGOZr:S7nMsanzR+2cqEDveyBKh0p29SgRWM
Score

10^/10

njrat hacked defense_evasion discovery persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral23 behavioral24
- Target
  
  6099cb8be85344f7557b27fba1ae22c1.exe
- Size
  
  5.3MB
- MD5
  
  6099cb8be85344f7557b27fba1ae22c1
- SHA1
  
  5031e7a22b44b1d403840d5bd95a32bab89c813f
- SHA256
  
  1a7d2ecce7b2a972ba3ad112bf7e48f44c57ad5f90077c74ded02e2ea43f691d
- SHA512
  
  6ab8f7ca055c24e92267bf6f83ea518829e52a44f94f39c13f9d657cf98d5bb5257feeaa84307de9376cdb7cb50d941baef39832eaf31e37ad712a003afa26f3
- SSDEEP
  
  98304:FZNVWg4AxEfkzA0ZNVWg4AxEfkzA8ZNVWg4AxEfkzA4ZNVWg4AxEfkzAO:fNsg4AMgAqNsg4AMgASNsg4AMgAuNsgp
Score

10^/10

discovery execution xred backdoor collection persistence spyware stealer
- Xred
  Xred is backdoor written in Delphi.
  backdoor xred
- Xred family
  xred
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral25 behavioral26
- Target
  
  60cefc41a36bd39b3ed821f809214b23.exe
- Size
  
  78KB
- MD5
  
  60cefc41a36bd39b3ed821f809214b23
- SHA1
  
  f0780b33e30d9fa6d9770d3582d8a89e6768a301
- SHA256
  
  cabdfa8ff32894fb52519e370cfba5ac756c32806914f9204ad0956ea656c4b1
- SHA512
  
  39a7f50d15e315aa0d7997bd2f42a017e2dfad156c880a114d14625f364445c2ff822be27cc76dd1040d7fd6d2aa22fe2c1b3ae2cfea3d85c47a1a9a6210ebd0
- SSDEEP
  
  1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+lPIC:5Zv5PDwbjNrmAE+1IC
Score

10^/10

discordrat persistence rat rootkit stealer
- Discord RAT
  A RAT written in C# using Discord as a C2.
  stealer rootkit rat persistence discordrat
- Discordrat family
  discordrat
behavioral27 behavioral28
- Target
  
  612990113a2323e56af3abbbb03e5002.exe
- Size
  
  2.0MB
- MD5
  
  612990113a2323e56af3abbbb03e5002
- SHA1
  
  9f34edf4e0a59efa9f44da074f2a9c09f013bff9
- SHA256
  
  c6f13a0bf3c4f3b5f76cb3f74c912b06f2cff22ae079297e863432c3278cd7c7
- SHA512
  
  c3efdac615fd521a096259f58e406aff5658b3bbd082abf6fc65e89489c81b58b662654e472bc8dc41dd5b5ae5b031273811a779776a1b93627922e825624ef7
- SSDEEP
  
  49152:7rYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:7dxVJC9UqRzsu+8N
Score

10^/10

dcrat infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
behavioral29 behavioral30
- Target
  
  61352802789defec49acc018b1d534a0f36ba97c4486876de06fb2d7ff352b33.exe
- Size
  
  879KB
- MD5
  
  dcb87d6a698acfaa3c8c63e0a7851c48
- SHA1
  
  05f6d08e5550ba2d1481e940e38c7cf4703b3292
- SHA256
  
  61352802789defec49acc018b1d534a0f36ba97c4486876de06fb2d7ff352b33
- SHA512
  
  4f5408d7aeef783e8c3e1ab3f835f2d0c3eb3aa24e542cbb176ad04e24698cd17d1c078d6c564563a1f87aa323998ad7554e7c51576cddf51f9cf3b8a441b754
- SSDEEP
  
  6144:1tT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3rT7D:n6u7+487IFjvelQypyfy7T7D
Score

10^/10

collection credential_access discovery persistence spyware stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral31 behavioral32