dcrat | 805c5709be7589073f6c90410ba05d8d4240ba487fe7c8febf2de9ba214a489e

Sharing

Copy URL

Twitter E-mail

General

Target

archive_37.zip
Size

26.8MB
Sample

250322-gzepmay1bt
MD5

ceaeb7b9a45b277a284122ad8b2a3b65
SHA1

afba0d3ac06e4c91d6830757c7883dd539a7b9a6
SHA256

805c5709be7589073f6c90410ba05d8d4240ba487fe7c8febf2de9ba214a489e
SHA512

1414ef4e60a6e9fa73e35d733eadd9eb8860ddfea0a0de51ea8eff6380f1faba8b879f2bcfd14f6f20c9ecdef3977dc481b490088a52468ea6e7f08686d9133e
SSDEEP

786432:jF6FPbVIWTyQ37zdWnoIgmiifhwG//yxNmPaLa:jYpSWeQfvmayp

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1352345083734790154/GFci6XX6Mp9mYiOa2PuPVyv_7j7VNbxaCj4Wmx3Z_uGkJGLEHVhy1aRAlSuaZsbKm6Eb

Extracted

Family

njrat

Version

0.7d

Botnet

amore

paodequeijo.ddns.net:1177

Mutex

19990fd2343322c1203853f7bdd329ed

Attributes

reg_key
19990fd2343322c1203853f7bdd329ed
splitter
|'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

RAYZ

rayz511.ddns.net:4744

Mutex

066c35335fc49adbd3a75923ee3411ba

Attributes

reg_key
066c35335fc49adbd3a75923ee3411ba
splitter
|'|'|

Extracted

Family

xworm

Version

3.0

26.ip.gl.ply.gg:54093

Mutex

b1csUhIjEU2ZVYZy

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
Boy12345#

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

213.183.58.19:4000

systemcontrol.ddns.net:45000

systemcontrol2.ddns.net:45000

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
read.dat
keylog_flag
false
keylog_folder
CastC
keylog_path
%AppData%
mouse_option
false
mutex
remcos_sccafsoidz
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Targets

- Target
  
  94975fe621437bc551de379ca5db04f88554915fa00e95a8595116a5e91d35cd.exe
- Size
  
  804KB
- MD5
  
  4c69f8efcb6f5641aa8e3ea9f5adfcb8
- SHA1
  
  794a0d95878a7c4f66ea4c11301ee9fa56605ec2
- SHA256
  
  94975fe621437bc551de379ca5db04f88554915fa00e95a8595116a5e91d35cd
- SHA512
  
  078dd4ca6fca6a06153498fea75622c10d4cf2d15cd6e073362284ba1c365de79fec268bcd5096a9fb8fe410ab9f3ac30d491bc6f95050d2aabb2b5ce3c379ff
- SSDEEP
  
  6144:UtT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3rcnKkL:Q6u7+487IFjvelQypyfy7cnKkL
Score

10^/10

collection credential_access discovery persistence spyware stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  94c020786bf74ea45e95666a68b1d21d.exe
- Size
  
  766KB
- MD5
  
  94c020786bf74ea45e95666a68b1d21d
- SHA1
  
  cbfaac4f18ff9979310ee7e4c4b20ddf8e4e3a96
- SHA256
  
  c3e80a42642dc8c5b8cf72db77caf52f67093310a22e6cd3ef058727d5087927
- SHA512
  
  f967ee379ab766063f2a15576a33ecff986cf44d48acc85dffb1b0a91821f747083ede5c209629f5751e6e690f240e0beea79b2ebf410a0c099202fce46139ca
- SSDEEP
  
  6144:qtT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3rcnKHlW:26u7+487IFjvelQypyfy7cnKHlW
Score

10^/10

collection credential_access discovery persistence spyware stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  94c7c87a82c5b86f793f2553cc5a6c20.exe
- Size
  
  6KB
- MD5
  
  94c7c87a82c5b86f793f2553cc5a6c20
- SHA1
  
  02cae1e82e40d4dca778eec8659877ec94824718
- SHA256
  
  6d59335cf09225a522bf8750faf31850a09443fe07de63ac434e04ae4d8f9051
- SHA512
  
  e0ce34741b5a96b475c608fd5d5effa0e2932d979f204592a1f5ab7b67a84827ca0dd546b8c7fe15313222a0f11598a54c80ac0a33603d87758731eebfe23ac3
- SSDEEP
  
  48:6jC18SU5pN62W9i4dgmyUxDjXVNMKyQPA2YXncKi5XN8rKJZTOukw6W54tdflLP9:KSo/62W/eiLhKcKYd8mZK0YpuzNt
Score

1^/10
behavioral5 behavioral6
- Target
  
  94dd6189328a24ea86b9726e0ff01aba18c8b2d13cdd59dcdedf9ae19b9700a1.exe
- Size
  
  84KB
- MD5
  
  8ea9319e368eb639c1e9a0477087d124
- SHA1
  
  22bf7bfd9c9c5a880a2f74c442cf80cffc3e35a7
- SHA256
  
  94dd6189328a24ea86b9726e0ff01aba18c8b2d13cdd59dcdedf9ae19b9700a1
- SHA512
  
  1ab13b010a354a0bf2a657c4b10735ad6862f1632e833b7b74c19124ea335ef197c650353e6c6399850a85cfa3f7c47143dbb8b0bb81c7d4cdb42b8abb6c1d1b
- SSDEEP
  
  1536:8vgLjrkREx+o/r8H1KJ+rYoX4hz9omrPmKVksmh2wJXzA65rB+DM/KZ:EoojUrD6KV/02wRzA65rB+DmKZ
Score

3^/10

discovery
behavioral7 behavioral8
- Target
  
  94e2ada20e21670b71abcc87c81ea0f6.exe
- Size
  
  135KB
- MD5
  
  94e2ada20e21670b71abcc87c81ea0f6
- SHA1
  
  3bf8abc4c4c08026f172057d24e97c6cc5dd1091
- SHA256
  
  91a0511445ab6427f6fb0de1529a1104486dea9c0afd5646e7972122566f3814
- SHA512
  
  8b60cd355cc70d9ff332350b574fc8c43c4e8172f91065ec250b546e64116296ca982a1c1e7c11fde1624169b76bd0fa05617e53d2b8ce5167b0326bf56b8d16
- SSDEEP
  
  3072:xPd4n/M+WLcilrpgGH/GwY87mVmIXarM2:xP6/M+WLckOBhVmIqrM2
Score

10^/10

discovery persistence remcos host rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral10 behavioral9
- Target
  
  952e0a7f82d06cd737223c4fe0c0d133.exe
- Size
  
  1.8MB
- MD5
  
  952e0a7f82d06cd737223c4fe0c0d133
- SHA1
  
  24d37aeab2e3b1d0548083f4604613842b28afa2
- SHA256
  
  492a632dfcfeca43ae8aabdd419c327bbfd4e871add1d140a5e44f69769bc118
- SHA512
  
  74c567d5e8d55efae270d18e26e6052c805bc78f0179943efd32177fad5fa49dc7c5c654102dac0e76cc341efcd0a8d33333e1fae293f62e1d116915b0c1abe1
- SSDEEP
  
  49152:tlZokWANv49qD8SgQMAyVOr6kcXMfKAfqNMP9Pyz6DMPCMTbzdZG:t2sr6kcXv69PvQP1vG
Score

7^/10

discovery persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral11 behavioral12
- Target
  
  953e99960b6bb27c1953eb4c62949b32b63482f7f5613bf53ae7751bb9678140.exe
- Size
  
  903KB
- MD5
  
  63fef350b2de6b1f516cac9122e8e642
- SHA1
  
  2cb07a2d417f8e18c80906dc4fc8253614520c68
- SHA256
  
  953e99960b6bb27c1953eb4c62949b32b63482f7f5613bf53ae7751bb9678140
- SHA512
  
  0575ab2275e5e0ea2b875eefecea7e7d5b8951a9508e45b97277466abfe6182f6dacbf128f5d30640a59017756fb87db66f13d01f81b70553d6dce8417b1c60f
- SSDEEP
  
  12288:tp+rgRNyA55IxJ+feDOa9rZj5XqkJD0QrOod7XxlW91RRz9Mr:tpugRNJI1D39dlfGQrFUx9Mr
Score

10^/10

remcos host discovery persistence rat spyware stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral13 behavioral14
- Target
  
  9576cc7c1d016017905b260b127b983f.exe
- Size
  
  1.9MB
- MD5
  
  9576cc7c1d016017905b260b127b983f
- SHA1
  
  085fbeb0456c1eb2f9d1854e4940def27aab0386
- SHA256
  
  5d64fc503e241b1ffafe9179e97d244b2af292a14b95f5513c48ba0557d14de2
- SHA512
  
  8bb12a73650c814edf1899c1453b40b92114f316de9b76dbd20f724f2970514f0f4c6afcf41a37a8796e90917f4ef11cea1043e6815e08ce199643a27f64c4a0
- SSDEEP
  
  24576:0z4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:0OMX0/08SVYTcxMXPxthD
Score

10^/10

defense_evasion execution trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- UAC bypass
  defense_evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Checks whether UAC is enabled
  defense_evasion trojan
behavioral15 behavioral16
- Target
  
  959c2d37a1e94337957c5323aab9bf19.exe
- Size
  
  78KB
- MD5
  
  959c2d37a1e94337957c5323aab9bf19
- SHA1
  
  c1008d70530f9b443d3fd3bf777d55c7bcbb34cf
- SHA256
  
  aaeda31514ca109b3a85002648761d73f97e281fcc8171ef5300c68950658507
- SHA512
  
  991c2d17b495f01d2678340f7709f35d8baa13aac185b489ec74a72cc9d442b9e801dc90605d8da482b2933b1fe1efdf2b251ae04f6e03d4e0d9ba1ce7a4c2c9
- SSDEEP
  
  1536:wRWtHH638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtRP9/o1xc:wRWtHa3Ln7N041QqhgRP9/j
Score

10^/10

metamorpherrat discovery persistence rat stealer trojan
- MetamorpherRAT
  Metamorpherrat is a hacking tool that has been around for a while since 2013.
  trojan rat stealer metamorpherrat
- Metamorpherrat family
  metamorpherrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
behavioral17 behavioral18
- Target
  
  95cc71e95ccf96ee404de6261589d09ec40cc8e5536356806e23b2b8ba21fdeb.exe
- Size
  
  231KB
- MD5
  
  e839bc5a747d12236b61f0120413cd3b
- SHA1
  
  7c714302034de81af274a784e1bc62fce85b3ee5
- SHA256
  
  95cc71e95ccf96ee404de6261589d09ec40cc8e5536356806e23b2b8ba21fdeb
- SHA512
  
  0fe330a45d6aacee8397b67288b3b8d8ba7a796dff5ed551ea1cd79be07104d8da37a94d3022d52fc763e9b040f0d9f92c7604bacb9fcd0d8db9df5b320912bd
- SSDEEP
  
  6144:RloZM0rIkd8g+EtXHkv/iD4SJm1syVtGNTOMdRYsGb8e1mIi:joZDL+EP8SJm1syVtGNTOMdRYPS
Score

10^/10

umbral stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Umbral family
  umbral
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral19 behavioral20
- Target
  
  95fc2287fc4fea75666b56cfd668d72c.exe
- Size
  
  9.7MB
- MD5
  
  95fc2287fc4fea75666b56cfd668d72c
- SHA1
  
  9de58712ca97a8b052b21f8ce7afa9708b671c2b
- SHA256
  
  16e39062569dd0ef3936b52c974370c6ef11b58149eae4f9d42b7f1079765091
- SHA512
  
  96371451474490e42cf2444eee70a1a1be4f0a32888f348e1d3ea004bc71621dce799b1190fd9388d2bde36a5d3c57ad9d79c602a798dad5ec626a161032bf70
- SSDEEP
  
  196608:2Nsg4AMgAINsg4AMgAFNsg4AMgAINsg4AMgAENsg4AMgAiNsg4AMgAANsg4AMgAu:2Gg4a3Gg4aqGg4ajGg4aDGg4a1Gg4aP9
Score

10^/10

xred backdoor collection discovery execution macro persistence spyware stealer
- Xred
  Xred is backdoor written in Delphi.
  backdoor xred
- Xred family
  xred
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Suspicious Office macro
  Office document equipped with macros.
  macro
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral21 behavioral22
- Target
  
  960c033d3033f9058766fe5f229e94401874404c1df50c73856346dc7141a104.exe
- Size
  
  315KB
- MD5
  
  5f805c896ade7da580a9f19fc62df5aa
- SHA1
  
  02d18566882c600a57632f36b2311be6e64abd67
- SHA256
  
  960c033d3033f9058766fe5f229e94401874404c1df50c73856346dc7141a104
- SHA512
  
  d525d44f498667bec9d2a77d02b17d6b13b0b4bc2d5ae9e94a314885bf9afb53cca549aaf926641bfe4b4c2b5a04f7ff2c1ef5b50bbfb35e4779882e81228946
- SSDEEP
  
  6144:Jv3bmJmfsqRbDIbglrZoV/e9jmHsRAMrb7Yy9bNI0R:1bNr/2c2W5mHsuu
Score

1^/10
behavioral23 behavioral24
- Target
  
  96591b574924a1846cfccfedd4cfd584f84e920dc06b5ce05a581a8a067c79ff.exe
- Size
  
  563KB
- MD5
  
  d7302b3ada27634117855bf070469296
- SHA1
  
  7cc8efa13fdbbbf43ab2bc52bfff8c0d0fea4d43
- SHA256
  
  96591b574924a1846cfccfedd4cfd584f84e920dc06b5ce05a581a8a067c79ff
- SHA512
  
  ea2e014cbcbabb219988a1ffe0495d0df6e5e6675786e2e79180abb3c4cfe9c3acf1dfb9219a82fd4a019ccf98fd718d4b225158ea212c4c92de5642ec9e84fd
- SSDEEP
  
  6144:uNHtA5qe9h6DSdvse6VlWT8b9PpQ+yr6gNHVgSj0srV7bw4vpuWDQz:u3+kWvsPVle8RpQ/JWSQ6XQz
Score

1^/10
behavioral25 behavioral26
- Target
  
  9695505ced3961f59e27022cd01b53f6a05fd1dc98c77f3f4d4b1c16aa72b8e7.exe
- Size
  
  529KB
- MD5
  
  d376e124c1a4ed2c7959e8cbd2775339
- SHA1
  
  9445cf43bc6829f0db20fd7b35770ad2085e917a
- SHA256
  
  9695505ced3961f59e27022cd01b53f6a05fd1dc98c77f3f4d4b1c16aa72b8e7
- SHA512
  
  11a0f248cec40c2410e754c463495cb06b6c145045c993c0c1440db49bc34645a488b95a9b564b4a8d65b93ef7d79c4dd0064a52d0bdbd3e6d24fe153774e989
- SSDEEP
  
  6144:DDzbGU1pj1dLtQIjSaLRTKJRTP09MQLHaNrRW+3MbLEZkqvd:DDzb1DdLtcMRe7TPcM4gRPlqCd
Score

1^/10
behavioral27 behavioral28
- Target
  
  96959cb1423fd801a2e3d718868a3776.exe
- Size
  
  78KB
- MD5
  
  96959cb1423fd801a2e3d718868a3776
- SHA1
  
  65d1736c9b979158bbfd4c1674f91fb034506eef
- SHA256
  
  1905c3deaf30debadbb9311cd746db562d2c92f17ff356b6a66d9e448fc7ce6e
- SHA512
  
  1ff6b163e10a01f18d28d5be955665324e63606ed380b15ca66943b1547f366f7713b291ceb48a42b02d7912b1f3ee3a1077f0d0ebec28eedd0579627609df28
- SSDEEP
  
  1536:vsHY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtD9/213n:vsHY53Ln7N041QqhgD9/Y
Score

10^/10

metamorpherrat discovery persistence rat stealer trojan
- MetamorpherRAT
  Metamorpherrat is a hacking tool that has been around for a while since 2013.
  trojan rat stealer metamorpherrat
- Metamorpherrat family
  metamorpherrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
behavioral29 behavioral30
- Target
  
  96985d97b017d4c59db75bdbab49f82d464e90407987be456b1b0ba7f1b748da.exe
- Size
  
  372KB
- MD5
  
  04f517ad3dbfedd58ba599b17f0b280b
- SHA1
  
  d2d19f89b31136881b46b5b459dc87c80d5555bf
- SHA256
  
  96985d97b017d4c59db75bdbab49f82d464e90407987be456b1b0ba7f1b748da
- SHA512
  
  8be216dd87ac40cd060c97b0f4f9cf497e0f91e1c1ee30b732c9e333b511cb7cd660db37f983bb266e7874b00991850e87c00ca06347fcdf257183546213bd9f
- SSDEEP
  
  6144:t90nfbbmC1vJ/lwphR3sje6VlWT8b97zRMDHK4ygGaUbYoidnhi:tKm8vJ7PVle8NzqyDal
Score

10^/10

persistence privilege_escalation
- Modifies WinLogon for persistence
  persistence
- Event Triggered Execution: AppInit DLLs
  Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
  persistence privilege_escalation
- Loads dropped DLL
behavioral31 behavioral32