dcrat

Target

pc raper.exe
Size

26.1MB
Sample

250420-jzq4rsytbv
MD5

769bf15770789de44c623b22536b9af8
SHA1

201bc12c782591a524b76a03c815251558bc0e21
SHA256

adfd4e9f51bcd27935f153e44b060b6978f55da9135f34cc62361dbbf2d2db57
SHA512

5ea37c53c01596c067824c698e234b3cddbae8f37ccfe5588629e9bd68eeab3a84b9e3985899f3686d247153f19945b3155ab52899f0e7049f0375c0c8740c18
SSDEEP

393216:c7Uy3zMOT7pkSmtK0NsDrAggcSYwybUG7Syl3SIspfXvYKiTSOQ1edHpDnWK:Q4MOSkqvAggG1QmSycIifXvzTPK

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Extracted

Family

marsstealer

Botnet

Default

kenesrakishev.net/wp-admin/admin-ajax.php

Extracted

Family

xworm

Version

5.0

outside-sand.gl.at.ply.gg:31300

they-mailed.gl.at.ply.gg:34942:34942

they-mailed.gl.at.ply.gg:34942

Mutex

VQd9MfbX4V71RInT

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Extracted

Path

C:\Users\Public\Documents\RGNR_8CA3C997.txt

Ransom Note

Hello VGCARGO ! ***************************************************************************************************************** If you reading this message, then your network was PENETRATED and all of your files and data has been ENCRYPTED by RAGNAR_LOCKER ! ***************************************************************************************************************** *********What happens with your system ?************ Your network was penetrated, all your files and backups was locked! So from now there is NO ONE CAN HELP YOU to get your files back, EXCEPT US. You can google it, there is no CHANCES to decrypt data without our SECRET KEY. But don't worry ! Your files are NOT DAMAGED or LOST, they are just MODIFIED. You can get it BACK as soon as you PAY. We are looking only for MONEY, so there is no interest for us to steel or delete your information, it's just a BUSINESS $-) HOWEVER you can damage your DATA by yourself if you try to DECRYPT by any other software, without OUR SPECIFIC ENCRYPTION KEY !!! Also, all of your sensitive and private information were gathered and if you decide NOT to pay, we will upload it for public view ! **** ***********How to get back your files ?****** To decrypt all your files and data you have to pay for the encryption KEY : BTC wallet for payment: 1BKK8bsFfG3YxTd3N15GxaYfHopoThXoY4 Amount to pay (in Bitcoin): 25 **** ***********How much time you have to pay?********** * You should get in contact with us within 2 days after you noticed the encryption to get a better price. * The price would be increased by 100% (double price) after 14 Days if there is no contact made. * The key would be completely erased in 21 day if there is no contact made or no deal made. Some sensetive information stolen from the file servers would be uploaded in public or to re-seller. **** ***********What if files can't be restored ?****** To prove that we really can decrypt your data, we will decrypt one of your locked files ! Just send it to us and you will get it back FOR FREE. The price for the decryptor is based on the network size, number of employees, annual revenue. Please feel free to contact us for amount of BTC that should be paid. **** ! IF you don't know how to get bitcoins, we will give you advise how to exchange the money. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ! HERE IS THE SIMPLE MANUAL HOW TO GET CONTCAT WITH US ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 1) Go to the official website of TOX messenger ( https://tox.chat/download.html ) 2) Download and install qTOX on your PC, choose the platform ( Windows, OS X, Linux, etc. ) 3) Open messenger, click "New Profile" and create profile. 4) Click "Add friends" button and search our contact 7D509C5BB14B1B8CB0A3338EEA9707AD31075868CB9515B17C4C0EC6A0CCCA750CA81606900D 5) For identification, send to our support data from ---RAGNAR SECRET--- IMPORTANT ! IF for some reasons you CAN'T CONTACT us in qTOX, here is our reserve mailbox ( [email protected] ) send a message with a data from ---RAGNAR SECRET--- WARNING! -Do not try to decrypt files with any third-party software (it will be damaged permanently) -Do not reinstall your OS, this can lead to complete data loss and files cannot be decrypted. NEVER! -Your SECRET KEY for decryption is on our server, but it will not be stored forever. DO NOT WASTE TIME ! *********************************************************************************** ---RAGNAR SECRET--- QWZjY0QxRTk2MWU4RTIwYkVCRUNhRWMzRjhCQTdlZDJkNUJCN2JkNDdDMzREMTYyNjNGNTdiZGFDYmI3ZEVhNw== ---RAGNAR SECRET--- ***********************************************************************************

Emails

[email protected]

Wallets

1BKK8bsFfG3YxTd3N15GxaYfHopoThXoY4

URLs

https://tox.chat/download.html

Extracted

Family

quasar

Version

1.4.1

Botnet

botnet

165.227.31.192:22069

193.161.193.99:64425

193.161.193.99:60470

Mutex

713051d4-4ad4-4ad0-b2ed-4ddd8fe2349d

Attributes

encryption_key
684009117DF150EF232A2EE8AE172085964C1CF0
install_name
System.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Office
subdirectory
Winrar

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

Extazz24535-22930.portmap.host:22930

73.62.14.5:4782

Mutex

89f58ee5-7af9-42de-843f-2a331a641e3f

Attributes

encryption_key
CD4F349DEB46AEE10C2FE886E5B2BD7A766723CE
install_name
2klz.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

quasar

Version

1.4.1

Botnet

Stinky

ef3243fsert34.ddns.net:47820

oj42315j346ng2134.myvnc.com:47820

Mutex

448b82a7-900f-48ac-b52b-73d8b9b1a9fa

Attributes

encryption_key
7A23123B6E1E0CCDB27477C6C7654C7BE2FEDE54
install_name
sru.exe
log_directory
Logs
reconnect_delay
3000
startup_key
xml
subdirectory
sru

Extracted

Family

quasar

Version

1.4.1

Botnet

21325

146.190.110.91:13000

Mutex

e5627e25-0d0e-4509-8b39-a3de07ba1545

Attributes

encryption_key
3B7163AA2D236AA40236BB7204ED370202AD4ABE
install_name
explorer.exe
log_directory
Logs
reconnect_delay
3000
startup_key
MicrosoftQuasUpdate
subdirectory
explorer

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-599783296-1627459723-2423478968-1000\HOW_TO_DECRYPT.txt

Family

hive

Ransom Note

Your network has been breached and all data is encrypted. To decrypt all the data you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: EQA9oydTxwXS Password: vNtgAgb3kMFmCooANNQr Follow the guidelines below to avoid losing your data: - Do not shutdown or reboot your computers, unmount external storages. - Do not try to decrypt data using third party software. It may cause irreversible damage. - Do not fool yourself. Encryption has perfect secrecy and it's impossible to decrypt without knowing the key. - Do not modify, rename or delete *.key.hive files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to authorities. The negotiation process will be terminated immediately and the key will be erased. - Do not reject to purchase. Your sensitive data will be publicly disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

URLs

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

Extracted

Family

quasar

Version

1.5.0

Botnet

BruterV3

147.185.221.17:44915

Mutex

3b364ea6-0ab3-4606-8c9e-e2b51e68c3b8

Attributes

encryption_key
E679E56ABD1A0F53D68F323812B24E67488502F6
install_name
Bruter.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows_Host_Process
subdirectory
RealtekAudio

Targets

- Target
  
  pc raper.exe
- Size
  
  26.1MB
- MD5
  
  769bf15770789de44c623b22536b9af8
- SHA1
  
  201bc12c782591a524b76a03c815251558bc0e21
- SHA256
  
  adfd4e9f51bcd27935f153e44b060b6978f55da9135f34cc62361dbbf2d2db57
- SHA512
  
  5ea37c53c01596c067824c698e234b3cddbae8f37ccfe5588629e9bd68eeab3a84b9e3985899f3686d247153f19945b3155ab52899f0e7049f0375c0c8740c18
- SSDEEP
  
  393216:c7Uy3zMOT7pkSmtK0NsDrAggcSYwybUG7Syl3SIspfXvYKiTSOQ1edHpDnWK:Q4MOSkqvAggG1QmSycIifXvzTPK
Score

10^/10

marsstealer squirrelwaffle wannacry xworm default credential_access defense_evasion discovery downloader execution impact ransomware rat stealer trojan worm dcrat hive mimikatz nanocore quasar ragnarlocker 21325 botnet bruterv3 office04 stinky bootkit infostealer keylogger persistence privilege_escalation spyware upx
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Detect Xworm Payload
- Detects Go variant of Hive Ransomware
- Hive
  A ransomware written in Golang first seen in June 2021.
  ransomware hive
- Hive family
  hive
- Mars Stealer
  An infostealer written in C++ based on other infostealers.
  stealer marsstealer
- Marsstealer family
  marsstealer
- Mimikatz
  mimikatz is an open source tool to dump credentials on Windows.
  mimikatz
- Mimikatz family
  mimikatz
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Nanocore family
  nanocore
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- RagnarLocker
  Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.
  ransomware ragnarlocker
- Ragnarlocker family
  ragnarlocker
- SquirrelWaffle is a simple downloader written in C++.
  SquirrelWaffle.
  downloader squirrelwaffle
- Squirrelwaffle family
  squirrelwaffle
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Wannacry family
  wannacry
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (3321) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Squirrelwaffle payload
- mimikatz is an open source tool to dump credentials on Windows
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Executes dropped EXE
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  defense_evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2