General

  • Target

    PianoScrap.exe

  • Size

    84KB

  • Sample

    210627-b5l3ms3lss

  • MD5

    7bca14e2fe5de5d8b6008d5136b3836a

  • SHA1

    dc3fa497624ec58cd1e2f687b8246e817201b4d5

  • SHA256

    6145b4b0d7c1cd9f2fb4e5af83194c149867abff5808ed7b185077b75dc05166

  • SHA512

    1ba56070522c9ec0200e6a35b4365847f176892f82cdb49af650a16f22d385962672acdc248a5cebb21598381c239544db86363e79c88c096638d5075b22ca63

Malware Config

Targets

    • Target

      PianoScrap.exe

    • Size

      84KB

    • MD5

      7bca14e2fe5de5d8b6008d5136b3836a

    • SHA1

      dc3fa497624ec58cd1e2f687b8246e817201b4d5

    • SHA256

      6145b4b0d7c1cd9f2fb4e5af83194c149867abff5808ed7b185077b75dc05166

    • SHA512

      1ba56070522c9ec0200e6a35b4365847f176892f82cdb49af650a16f22d385962672acdc248a5cebb21598381c239544db86363e79c88c096638d5075b22ca63

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies system executable filetype association

    • Registers COM server for autorun

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

    • Creates new service(s)

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets DLL path for service in the registry

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Drops Chrome extension

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks