Overview

overview

10

Static

static

4508B79414...3C.exe

windows7_x64

10

4508B79414...3C.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4508B79414A6EE98BADBF039ABA57A3C.exe

  • Size

    4.2MB

  • Sample

    210701-8755bwasfn

  • MD5

    4508b79414a6ee98badbf039aba57a3c

  • SHA1

    4d40b457b656220ffe113c83931675c1fa3ec12b

  • SHA256

    ce6c7f3f54f49e2e6bd10fcdae8e91a616a4234df9f694d44db8582ab1c20ed1

  • SHA512

    52cdafdfb7f39f3dd9ed0c0d7584268e56ff05315974ebc9b4b8d47f1af9ac6c8380eae758c8e1d1bfd195311735d8a8d4e46d39e8f7155bd7521d483bee77ff

Score
10/10
dcratxmrigevasioninfostealerminerratspywarestealertrojan

Malware Config

Targets

    • Target

      4508B79414A6EE98BADBF039ABA57A3C.exe

    • Size

      4.2MB

    • MD5

      4508b79414a6ee98badbf039aba57a3c

    • SHA1

      4d40b457b656220ffe113c83931675c1fa3ec12b

    • SHA256

      ce6c7f3f54f49e2e6bd10fcdae8e91a616a4234df9f694d44db8582ab1c20ed1

    • SHA512

      52cdafdfb7f39f3dd9ed0c0d7584268e56ff05315974ebc9b4b8d47f1af9ac6c8380eae758c8e1d1bfd195311735d8a8d4e46d39e8f7155bd7521d483bee77ff

    Score
    10/10
    dcratxmrigevasioninfostealerminerratspywarestealertrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • DCRat Payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • XMRig Miner Payload

      miner

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks