General

  • Target

    MalwareDownloader2.1.exe

  • Size

    7.1MB

  • Sample

    210302-l4wt18jxvn

  • MD5

    53be36b74b6124f80cede2e9fe49ef35

  • SHA1

    aec8c32b3c3b8a0100b930cdf6b6632da2509ec4

  • SHA256

    66056e1c2ae89e116d235f70b838391efec6b33e93d09de0b3f66507e3087e4f

  • SHA512

    902d80e35c4b3778b68a0c94b3bb6a007c6f5232a53f6d907c0cf1b639df1ce17d685a98035b0fcfcf306500a46617c51bafb36bba4ab81f15f8cf96bfb9b6f4

Malware Config

Targets

    • Target

      MalwareDownloader2.1.exe

    • Size

      7.1MB

    • MD5

      53be36b74b6124f80cede2e9fe49ef35

    • SHA1

      aec8c32b3c3b8a0100b930cdf6b6632da2509ec4

    • SHA256

      66056e1c2ae89e116d235f70b838391efec6b33e93d09de0b3f66507e3087e4f

    • SHA512

      902d80e35c4b3778b68a0c94b3bb6a007c6f5232a53f6d907c0cf1b639df1ce17d685a98035b0fcfcf306500a46617c51bafb36bba4ab81f15f8cf96bfb9b6f4

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

Command and Control

Web Service

1
T1102

Tasks