Overview

overview

10

Static

static

1

Software u....5.exe

windows7_x64

10

Software u....5.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Software updated v2.0.5.rar

  • Size

    928KB

  • Sample

    210717-cyvzcfhxjj

  • MD5

    85c99ab7c8d99cc46ec98267eec4df7a

  • SHA1

    dfdcb8e719d4c13d0aa79e224a89e2e30e75cb23

  • SHA256

    339abe255add87b4e01c40d9cce0650d5f0651c39c1c3f375bb614927deb6013

  • SHA512

    18f549f0082159f6ae6a580ade615c37b79ce828e48094943197c3ede28a2c8e0c39e5aac64b3a96c44f8e234df9763cfc2d22927fe105424cc864ac4acb41e8

Score
10/10
dcratxmriginfostealerminerratspywarestealer

Malware Config

Targets

    • Target

      Software updated v2.0.5.exe

    • Size

      1.0MB

    • MD5

      5bf71f0f7776fe52e73010044fc0b5de

    • SHA1

      77155ff48d18f3dea5efd60cd457787177aaadd9

    • SHA256

      ede1dd52501d61439063d9a4610afa9aab0e85e085cdeca2acc266448577c2d6

    • SHA512

      9a229a16fdb687958eb16c1a1bec507611a885cc2499cdf602e8f44531059d981c7afb46c928e4fd9fe8bde109ed4e76c3eb9a0415beba1ce03b8f0e45b56387

    Score
    10/10
    dcratxmriginfostealerminerratspywarestealer

    • DCrat

      DarkCrystalrat.

      rat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • DCRat Payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • XMRig Miner Payload

      miner

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks