Overview

overview

10

Static

static

10

98cae67f5c...4f.exe

windows7-x64

7

98cae67f5c...4f.exe

windows10-2004-x64

7

98cfbc262e...bc.exe

windows7-x64

10

98cfbc262e...bc.exe

windows10-2004-x64

10

98d8bede74...ed.exe

windows7-x64

10

98d8bede74...ed.exe

windows10-2004-x64

10

9905bf91d0...cd.exe

windows7-x64

3

9905bf91d0...cd.exe

windows10-2004-x64

3

99171e268b...08.exe

windows7-x64

10

99171e268b...08.exe

windows10-2004-x64

10

991fdf0c20...cd.exe

windows7-x64

10

991fdf0c20...cd.exe

windows10-2004-x64

10

9921900649...5f.exe

windows7-x64

10

9921900649...5f.exe

windows10-2004-x64

10

9941d8f932...2a.exe

windows7-x64

10

9941d8f932...2a.exe

windows10-2004-x64

10

997e8d89ff...b8.exe

windows7-x64

3

997e8d89ff...b8.exe

windows10-2004-x64

10

998566d8ea...73.exe

windows7-x64

10

998566d8ea...73.exe

windows10-2004-x64

10

99bf888072...4b.exe

windows7-x64

10

99bf888072...4b.exe

windows10-2004-x64

10

99f05fe5d0...13.exe

windows7-x64

7

99f05fe5d0...13.exe

windows10-2004-x64

10

9a11a17452...66.exe

windows7-x64

10

9a11a17452...66.exe

windows10-2004-x64

8

9a26a56f56...c3.exe

windows7-x64

10

9a26a56f56...c3.exe

windows10-2004-x64

10

9a292ed0f5...7a.exe

windows7-x64

10

9a292ed0f5...7a.exe

windows10-2004-x64

10

9a3fe6a67d...4c.exe

windows7-x64

10

9a3fe6a67d...4c.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    archive_38.zip

  • Size

    67.9MB

  • Sample

    250322-gzgtzsy1bv

  • MD5

    a5a89c3b39f3dc18c2f4be3ff7e43264

  • SHA1

    ba64b3c28f6323d8e20124d1b91be7c8a5d78f09

  • SHA256

    a1ddae9574bbeadd40b789fc8c7719b47c0d4bd8ed93abbd1d07f7e866ac40a6

  • SHA512

    5634a8ed60ae394d399631f8a32091be266b2864d5191e3cc31ec233cd8bc72ef21a6eff39290ecada377fee46f2b1b4b813342d7dbcae6e0f7315ed6cd855b1

  • SSDEEP

    1572864:kuS3wm7LVvArT7fbmcphAVnIioVFORvT2WauuOkAWrOLANqkUJ:egm0T2cp4+nORL2WauHkAW6Lk+

Score
10/10
asyncratdcratnjratremcosumbralxwormdefaulthackedhosttomo no rabodefense_evasiondiscoveryexecutioninfostealerpersistenceprivilege_escalationratspywarestealertrojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:8000
Mutex

ddsO1QLOdEGK

Attributes
  • delay

    3

  • install

    true

  • install_file

    Windows745635.exe

  • install_folder

    %Temp%

aes.plain

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

if-contest.gl.at.ply.gg:5461
Mutex

a5a79fb1775f786eb21894fd18e9b5d3

Attributes
  • reg_key

    a5a79fb1775f786eb21894fd18e9b5d3

  • splitter

    |'|'|

Extracted

Family

xworm

C2

hp-aggressive.gl.at.ply.gg:8877

127.0.0.1:6258

would-portland.gl.at.ply.gg:6258
Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Extracted

Family

njrat

Version

im523

Botnet

tomo no rabo

C2

127.0.0.1:5551

Mutex

232142747b254d71feaaa3ed6502a584

Attributes
  • reg_key

    232142747b254d71feaaa3ed6502a584

  • splitter

    |'|'|

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1352290842009796729/G8yLk-T0sLJfX9oqfGwDEn679VpKN-s9_di6iL35v7J0EuZOmgrqGv_vPjXY_ihAjPfX

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    s4.serv00.com
  • Port:
    21
  • Username:
    f2241_dod
  • Password:
    Ball900@@

Extracted

Family

remcos

Botnet

Host

C2

213.183.58.19:4000

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    read.dat

  • keylog_flag

    false

  • keylog_folder

    CastC

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_sccafsoidz

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

213.183.58.19:4000

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    read.dat

  • keylog_flag

    false

  • keylog_folder

    CastC

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_sccafsoidz

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      98cae67f5c84a8d9acc00a5117a1554f.exe

    • Size

      2.1MB

    • MD5

      98cae67f5c84a8d9acc00a5117a1554f

    • SHA1

      21527275a801dcac3efb0491f11e3d2904293fb0

    • SHA256

      fffd5222db48561afd0141bc1c15b66f10bec748d7430a6a4a79dc3899485f2f

    • SHA512

      6044797b07bff8f9a78fc84f3279db7ff98517e03f26305dd58d62122ce199280c81a64aef68e7def789b4d7bd7fd1b6a8ab1c404f3f47ab97bcda1247b8d99a

    • SSDEEP

      49152:X/FBVWix5TC0/5ljAhscAWlMym/HXR1supwJ4CfI:J

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral1behavioral2

    • Target

      98cfbc262ebb26100ed9ac81797240fd925afadc49cc2de443c5166155dea4bc.exe

    • Size

      2.0MB

    • MD5

      b69787eb276e894867e7c1312657cc61

    • SHA1

      e8edb28768eb48b7db9ba147881c8e1b1cf4db68

    • SHA256

      98cfbc262ebb26100ed9ac81797240fd925afadc49cc2de443c5166155dea4bc

    • SHA512

      df1e774909c03934cf73228447329b974205fe9604cf7b2dbc788cd2b33c803ad56a13aa12d828311de60a31165fef7155fad5340ac8524cf7202e9c3baacf99

    • SSDEEP

      49152:7rYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:7dxVJC9UqRzsu+8N

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat
    behavioral3behavioral4

    • Target

      98d8bede7463eab3906d2bef4f619e0d387b872d36bc41df635c0458a9c87bed.exe

    • Size

      1.7MB

    • MD5

      2969ba68d7cb777ee4d1d94e3ca26b2e

    • SHA1

      25b6ec11226afa942f8468d291a3989860acc934

    • SHA256

      98d8bede7463eab3906d2bef4f619e0d387b872d36bc41df635c0458a9c87bed

    • SHA512

      3069d2eb6c2c6e907908de56470e89858757966f785fcaf77f8fa1b37f5b69f97778b5f9764d8bfbbe99031c3a859355457f54e2350173fda80f2cb0e3e45e77

    • SSDEEP

      24576:0D39v74lfGQrFUspugRNJI2DJ53J/J/L5dJPjoI1:0p7E+QrFUBgq2d1

    Score
    10/10
    remcoshostdiscoverypersistenceratspywarestealer

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      9905bf91d0e085747b6f595a7eca6dcd.exe

    • Size

      41KB

    • MD5

      9905bf91d0e085747b6f595a7eca6dcd

    • SHA1

      10955abe37a2ca6a42aa8c0cefbcadf3cafd0aa9

    • SHA256

      9149934feacd6b6fbfcbf308005f48f1bd25470df5de900cf1821361c394bf1e

    • SHA512

      77c00a468199c2c7ee4bed618dd4446f52c34bae500b264858918d8f03d0b18ea4d4c3bc0973c364f6606a165f80c29e64ddff9aa4fa6e7af15d8499b7589955

    • SSDEEP

      768:OSJWpNoNh61tDcG5KNis0w2c6Rio9zr6FfP2E:+zoNA1SG5misGc6IgzrU3

    Score
    3/10
    discovery
    behavioral7behavioral8

    • Target

      99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe

    • Size

      1.6MB

    • MD5

      c108bff5d7cf5216d440596c5c03fea4

    • SHA1

      33eba9f19413d2d26bcd5b21b49bb43563cc0808

    • SHA256

      99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08

    • SHA512

      e92f8bd34f4aba2d026741fc883531532687579a97ceea6ea65926e2ff9e3a6905d959e21a24f0e8395cae8d676f972c05ea4e107875d3e41e9f6e05d436f4b3

    • SSDEEP

      24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

    Score
    10/10
    dcratexecutioninfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral10behavioral9

    • Target

      991fdf0c20a212d8d3839c020318c3cd.exe

    • Size

      2.0MB

    • MD5

      991fdf0c20a212d8d3839c020318c3cd

    • SHA1

      cfeda955ef7520bae29f7d34f463b46bae0776c8

    • SHA256

      2ab670a17091d7b3cf662a8be6d48c0a7679d712a8f7e02e46497d2bd9a5a7d2

    • SHA512

      e4140f5eddfe63aacb3ea1ee31051570c0068fcf9f74256c7433f66221475308d19072078eb6dec21ba6977b089c7c8c8f178d01eb0716e3a8f6e7f8bd6543a7

    • SSDEEP

      49152:jrYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:jdxVJC9UqRzsu+8N

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat
    behavioral11behavioral12

    • Target

      992190064968ef7869b0359d37b24d7f00e340c1a71ea87cde133a89ed24615f.exe

    • Size

      2.0MB

    • MD5

      177fa69d73d91edcd8e7f6e9b3b13321

    • SHA1

      47c085d5d11b49a66826b9169b4cc3eb0b06f18b

    • SHA256

      992190064968ef7869b0359d37b24d7f00e340c1a71ea87cde133a89ed24615f

    • SHA512

      8cb2188ad452f6781b8d3faa606ca9d9671d1af5faaf4b3b2157a44212b9dca9b49ba74d494d72a61938beb1a400c1802378d43d2671864a79bdd7eb8cc77524

    • SSDEEP

      49152:TrYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:TdxVJC9UqRzsu+8N

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat
    behavioral13behavioral14

    • Target

      9941d8f932e596ae65f70b976ecc4f6620bf5ffc6928800633ac9443c0e94c2a.exe

    • Size

      198KB

    • MD5

      ba3ff80611dbb0fad8d1f1985f14d021

    • SHA1

      6ef5df6ce43a740a71a806542c593836d1a89cbf

    • SHA256

      9941d8f932e596ae65f70b976ecc4f6620bf5ffc6928800633ac9443c0e94c2a

    • SHA512

      4c0c84af80f0544aa6fc1a9f21e20461149162751736bace09e4620b20be780b392f512c5b1f157a325b48e3a8ae9a46334f2eeae4155c50692076870bc7b809

    • SSDEEP

      3072:/LLR0bredfUlNX8NFApCFROtLZv7kV6MS9TEjc4bHyN6+bKNhef2aMJ9:/L+uPA4ALZvau8bHwKvI2a

    Score
    10/10
    njratdiscoverytrojan
    behavioral15behavioral16

    • Target

      997e8d89ffb1f23d0014deeb51646ab8.exe

    • Size

      1.3MB

    • MD5

      997e8d89ffb1f23d0014deeb51646ab8

    • SHA1

      13ad27269884c5ea06ae44a601b4d1372cdc782e

    • SHA256

      f31b7b0d8fec7b8d3fb38deabc752db6a2687f6e927714cceadecce290aef89d

    • SHA512

      e59b2ada2b04b93a77c0c13c194594027859af5d15c1e357762c6860616632bb805a1f305819f2a2635818c4b8286f2635aa5a591e037e3c834235a4cbec5fb5

    • SSDEEP

      24576:hCG/hWSboWdURjgXWZxuHIfz7y/8233t9Fge/7vorhAtjDmJDJyj:uSbbdURRwSz7y/8At9F//7gVwmf

    Score
    10/10
    discoverypersistencespywarestealer

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      998566d8ea82f0a3c8f337e42a95f373.exe

    • Size

      45KB

    • MD5

      998566d8ea82f0a3c8f337e42a95f373

    • SHA1

      e61b997562fadf8c805bf9d66b194db9fac2e958

    • SHA256

      c19fa552e9898ac3a969fccbd5225b286393e4d4ef0343df96794e0a633ba1c5

    • SHA512

      b7bdf4a03674899c02999a9a0f9f1fae67d97c0646d37fed97ae770d4ee1240a39f0388ff8dc6eac760bde12d6e291f5371c075ce49728fcf84e2edaddec6407

    • SSDEEP

      768:wuYqlTLoczGWUgP28mo2qMAKjPGaG6PIyzjbFgX3irduljz5WpcBDZ7B:wuYqlTLbj2AKTkDy3bCXSrqz0p6d7B

    Score
    10/10
    asyncratdefaultdiscoveryrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Async RAT payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral19behavioral20

    • Target

      99bf8880724cd8aa8da8dcf4b716be4b.exe

    • Size

      984KB

    • MD5

      99bf8880724cd8aa8da8dcf4b716be4b

    • SHA1

      e680337915c7a5a85de7f89ec9bf5455cf3bc75f

    • SHA256

      da677897f339e128512b323a559ed62e782b2115237bb1a0a8bd1092c2d5723f

    • SHA512

      05f82864179d4cbe15cf474001c1696b3a7a9d705864a14d41254a04bc9c56c87804a508d3f139f3db8297b0c50f9bbe2358552a2a0e5218f41bb245abb87c9b

    • SSDEEP

      12288:zzZvuvewk/0pPPXA5q/TQ9+n95vV25gnwHexSDwbwvDxlpaS98IUNldnd65EgF1s:zzZvuGD2PvA5YxwmbZB6Uv

    Score
    10/10
    dcratinfostealerpersistencerat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral21behavioral22

    • Target

      99f05fe5d0501bee088a89917fddcd13.exe

    • Size

      224KB

    • MD5

      99f05fe5d0501bee088a89917fddcd13

    • SHA1

      c9844f77a489184d6857cfeda58aa739f95a2b07

    • SHA256

      17a942db32ea782d5c4d0219901f0cdfdb3f7926ca078e848257ec0eb7e4cab1

    • SHA512

      f39a644966d68f71017d9d72fc4f1564711294cad5933b1a279253411863fc05b583c4f888c7ba0d5b23d1eb0e418c628d29d8f505265c26bc2933b616ca09a6

    • SSDEEP

      3072:dsXRmUIMitHqQmZe27vc6Eld+xZp2vPRL1tT06zJoxAWBcKpSP//dwlmfDD:KR5IbqQmZeG47RZBGxAycKpSPX2Y

    Score
    10/10
    persistence

    • Modifies WinLogon for persistence

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    behavioral23behavioral24

    • Target

      9a11a174522b81715e79c23c5d940a66.exe

    • Size

      93KB

    • MD5

      9a11a174522b81715e79c23c5d940a66

    • SHA1

      7a98bdd8057a0d034e13ca85b5184a660ac187b1

    • SHA256

      688c1a3286f2afa26f5c14d5bd3ac3eae66d059d314186409ed9060d815a47dd

    • SHA512

      da01cbf1de22500cce53be313280f7d317b4804f1065ac6f236baba2e60c8f9ba2697e204b5b2b7b9dccb2a7d6694fbdc1988bd8bf0c75e6c96041446aaedf0e

    • SSDEEP

      1536:cOmC+xhUa9urgOB9RNvM4jEwzGi1dDIDGgS:cOgUa9urgONdGi1d+r

    Score
    10/10
    njrathackeddefense_evasiondiscoverypersistenceprivilege_escalationtrojan

    • Njrat family

      njrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral25behavioral26

    • Target

      9a26a56f5680ffdfbab3a6ba869833c3.exe

    • Size

      78KB

    • MD5

      9a26a56f5680ffdfbab3a6ba869833c3

    • SHA1

      3e59b45ce04bad8094a3f70cd95d328d15fcf22b

    • SHA256

      d160bc9c239b66071558c7e6429cd46dc85e37a3c153968d3d619fc69fc660d9

    • SHA512

      7e82d0147de276751a0e0e3f39571202138330d1a7f902e66d819dfded9b17cb5a55e37c3a5d4e0732df8c65c5b4c630cf16d4c07fc927bba4df18946bb33613

    • SSDEEP

      1536:fMr8x3ge6TdznSbgPkKm58VZlIuig/B+P7bFh1XDI6m0hOlfMhTo:0r8+e+SUPkl8iuiQ07bFh13hOlfMhTo

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral27behavioral28

    • Target

      9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe

    • Size

      1.6MB

    • MD5

      1537a2448a3278776c0ad106d583bf42

    • SHA1

      3374a83147189b932096d99e2f34c5c185611242

    • SHA256

      9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a

    • SHA512

      51dab8150cfc0f8c830a3d583e53e6a89a9f05c95daf84dee27cabcd43e03ee2953391d25b366a4a902e6cae6e8b1d05a4eae832d4d51f9e47869ca984e9d10a

    • SSDEEP

      24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

    Score
    10/10
    dcratexecutioninfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral29behavioral30

    • Target

      9a3fe6a67de09aa96ba2e5be3280ea4c.exe

    • Size

      1.1MB

    • MD5

      9a3fe6a67de09aa96ba2e5be3280ea4c

    • SHA1

      6e4ffce312e07e64e58d3711d22873956299792c

    • SHA256

      ad954fbd7d3e5259656f1f933b0d0e0528fca132b9212fceafb203211267efbf

    • SHA512

      fb3a712d3ac88c3510c8759a0ae3465fa376eda8875f80eef28231c3a0955fc49032200637a695cf7c3f0b7a3e05fa84fbaff3992d58148c5d016c0ecb8e983b

    • SSDEEP

      12288:t6NE5eSwJu37+GXJpkaI7ShG54v4ahgVY3whNG8/LI6i4ejmtnbAouuFteLBdBN9:t6NReJXJIwvJgVQSoPEzKkLXa

    Score
    10/10
    dcratinfostealerpersistencerat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

2
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

4
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

ratdefaulthackedtomo no rabodcratasyncratnjratxwormumbral
Score
10/10

behavioral1

Score
7/10

behavioral2

Score
7/10

behavioral3

dcratinfostealerrat
Score
10/10

behavioral4

dcratinfostealerrat
Score
10/10

behavioral5

remcoshostdiscoverypersistencerat
Score
10/10

behavioral6

remcoshostdiscoverypersistenceratspywarestealer
Score
10/10

behavioral7

discovery
Score
3/10

behavioral8

discovery
Score
3/10

behavioral9

dcratexecutioninfostealerrat
Score
10/10

behavioral10

dcratexecutioninfostealerrat
Score
10/10

behavioral11

dcratinfostealerrat
Score
10/10

behavioral12

dcratinfostealerrat
Score
10/10

behavioral13

dcratinfostealerrat
Score
10/10

behavioral14

dcratinfostealerrat
Score
10/10

behavioral15

njratdiscoverytrojan
Score
10/10

behavioral16

njratdiscoverytrojan
Score
10/10

behavioral17

discovery
Score
3/10

behavioral18

discoverypersistencespywarestealer
Score
10/10

behavioral19

asyncratdefaultdiscoveryrat
Score
10/10

behavioral20

asyncratdefaultdiscoveryrat
Score
10/10

behavioral21

dcratinfostealerpersistencerat
Score
10/10

behavioral22

dcratinfostealerpersistencerat
Score
10/10

behavioral23

persistence
Score
7/10

behavioral24

persistence
Score
10/10

behavioral25

njrathackeddefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral26

defense_evasiondiscoverypersistenceprivilege_escalation
Score
8/10

behavioral27

xwormrattrojan
Score
10/10

behavioral28

xwormrattrojan
Score
10/10

behavioral29

dcratexecutioninfostealerrat
Score
10/10

behavioral30

dcratexecutioninfostealerrat
Score
10/10

behavioral31

dcratinfostealerpersistencerat
Score
10/10

behavioral32

dcratinfostealerpersistencerat
Score
10/10