General
-
Target
skinchanger_csgo_13.06.2021.rar
-
Size
4.5MB
-
Sample
210618-tv5n5gygtn
-
MD5
558256c083925864f771b107d1e7d8a5
-
SHA1
ee67ab679f77bf91ea472a1e4f87cf732f132b89
-
SHA256
81a43a66264606f51011e4d78daebde1d04fa72cb6ed6993004f9a339fdb5e93
-
SHA512
b57976b69bef4c4ba975c3822eee0d33e9e9691a7e1ce563df982e69f5781e178a86a4bf7ac4f416f0b88c44b3976233a05b8f25e66d1b3dad57c4a3345b8e13
Static task
static1
Behavioral task
behavioral1
Sample
skinchanger_csgo_13.06.2021.exe
Resource
win10v20210410
Malware Config
Targets
-
-
Target
skinchanger_csgo_13.06.2021.exe
-
Size
11.8MB
-
MD5
7deee811c461cbdca7046e8db7cfae20
-
SHA1
edde2dc49adabe238151cd66063246870083a018
-
SHA256
b5916559e5eb893a5ee47900a09e9630ef47d6d52492a15238a6748d4ecdab0d
-
SHA512
f8e382f2679b9db4733e9c622ba8dc44a086272b761430eebd983f40fae4896d539d3de6537581c1d2ffe02357ea87ca3008ca272f9d05992d5f457c93574af2
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Registers COM server for autorun
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Registry Run Keys / Startup Folder
1Browser Extensions
1Scheduled Task
1Defense Evasion
File Permissions Modification
1Modify Registry
3Install Root Certificate
1