General

  • Target

    ed5872028e073a00549aa0ffe151dc4d641eae83694c1fcc3dc545183c091d97.exe

  • Size

    283KB

  • Sample

    210416-bjfkp7eabj

  • MD5

    1f130569a8373dfae4f387d4757769cf

  • SHA1

    038f27c37ade7fcb97745e149b65258a7a1ea295

  • SHA256

    ed5872028e073a00549aa0ffe151dc4d641eae83694c1fcc3dc545183c091d97

  • SHA512

    7401da486a4141efe362f3ba80299f3305e05866e7a04cad8a40107fe6a83765e4616af4ef6f6f40b605135cd34a3c48dedc6023ee32facfb8b4984f29cfa7b3

Malware Config

Targets

    • Target

      ed5872028e073a00549aa0ffe151dc4d641eae83694c1fcc3dc545183c091d97.exe

    • Size

      283KB

    • MD5

      1f130569a8373dfae4f387d4757769cf

    • SHA1

      038f27c37ade7fcb97745e149b65258a7a1ea295

    • SHA256

      ed5872028e073a00549aa0ffe151dc4d641eae83694c1fcc3dc545183c091d97

    • SHA512

      7401da486a4141efe362f3ba80299f3305e05866e7a04cad8a40107fe6a83765e4616af4ef6f6f40b605135cd34a3c48dedc6023ee32facfb8b4984f29cfa7b3

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • DiamondFox

      DiamondFox is a multipurpose botnet with many capabilities.

    • DiamondFox payload

      Detects DiamondFox payload in file/memory.

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Collection

Data from Local System

1
T1005

Tasks