Overview

overview

10

Static

static

skinchange...21.exe

windows10_x64

10

Resubmissions

18-06-2021 14:04

210618-tv5n5gygtn 10

18-06-2021 13:53

210618-hrj4pexwnj 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    skinchanger_csgo_13.06.2021.rar

  • Size

    4.5MB

  • Sample

    210618-tv5n5gygtn

  • MD5

    558256c083925864f771b107d1e7d8a5

  • SHA1

    ee67ab679f77bf91ea472a1e4f87cf732f132b89

  • SHA256

    81a43a66264606f51011e4d78daebde1d04fa72cb6ed6993004f9a339fdb5e93

  • SHA512

    b57976b69bef4c4ba975c3822eee0d33e9e9691a7e1ce563df982e69f5781e178a86a4bf7ac4f416f0b88c44b3976233a05b8f25e66d1b3dad57c4a3345b8e13

Score
10/10
dcratadwarediscoveryinfostealerpersistenceratspywarestealerupx

Malware Config

Targets

    • Target

      skinchanger_csgo_13.06.2021.exe

    • Size

      11.8MB

    • MD5

      7deee811c461cbdca7046e8db7cfae20

    • SHA1

      edde2dc49adabe238151cd66063246870083a018

    • SHA256

      b5916559e5eb893a5ee47900a09e9630ef47d6d52492a15238a6748d4ecdab0d

    • SHA512

      f8e382f2679b9db4733e9c622ba8dc44a086272b761430eebd983f40fae4896d539d3de6537581c1d2ffe02357ea87ca3008ca272f9d05992d5f457c93574af2

    Score
    10/10
    dcratadwarediscoveryinfostealerpersistenceratspywarestealerupx

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Registers COM server for autorun

      persistence

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • DCRat Payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Browser Extensions

1
T1176

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

File Permissions Modification

1
T1222

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks