Rouzzzey.7z

General
Target

Rouzzzey.7z

Size

17MB

Sample

210421-67ta5keqaa

Score
10 /10
MD5

ad251dc50433cd8de777ff5cd9fcfd0c

SHA1

badaca6896ac49d890ad3d2b9a7a2887d3f74591

SHA256

1c727f37816d073ee277ef1fd45a449ba5b877a3f96add64bb052d50b69de81d

SHA512

413cf9c661d4179455e8379b8ff42fe195ff98f703916151579fa304f076b83abb28296a6f5adc9bdf92607e60c4541a1c6edcbc6d96e50e7cbd245b71f463c1

Malware Config
Targets
Target

dashdV.exe

MD5

765f570a565d578f2ace3ccb41cef038

Filesize

17MB

Score
10 /10
SHA1

89b44e3aa8f3c93f80ae29f7a36a9486b080229d

SHA256

0d7c515d3483b45d5725717070e8497435c39b3450af59194b2a32a33c2867e8

SHA512

941862a1d09e70725f9826b05dc8a8c7442add91229f39ac7ea9d4e6b8d0f751d749ac6b6ac2202290122945e14bab06516680a7007598af7cca62ac1b465898

Tags

Signatures

  • DCrat

    Description

    DarkCrystalrat.

    Tags

  • DcRat

    Description

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    Tags

  • Modifies WinLogon for persistence

    Tags

    TTPs

    Winlogon Helper DLL Modify Registry
  • Downloads MZ/PE file

  • Drops file in Drivers directory

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation