Overview

overview

10

Static

static

b532034003...e0.exe

windows7_x64

10

b532034003...e0.exe

windows10_x64

10

Resubmissions

25-01-2022 20:58

220125-zr9txafah2 10

25-01-2022 05:22

220125-f2kszshddn 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b5320340037751e10748b6463fab8ee0.exe

  • Size

    2.1MB

  • Sample

    220125-f2kszshddn

  • MD5

    b5320340037751e10748b6463fab8ee0

  • SHA1

    b3e9a125688e9da67708adfcada41bb56de2cd3d

  • SHA256

    b45b4ee4146fc230dc6ea93a1af252314acc9b4adab82f36103e8f782589983d

  • SHA512

    67e3bdc6c8db9ed127dc0a7a0fcb431a7294fd8daf77fe6ce4042a3cb63b9576130f1d3b3aee665dc16c1de4ede96ed7976789e63a4d61178c631d3d76e06138

Score
10/10
dcratinfostealerpersistenceratsuricata

Malware Config

Targets

    • Target

      b5320340037751e10748b6463fab8ee0.exe

    • Size

      2.1MB

    • MD5

      b5320340037751e10748b6463fab8ee0

    • SHA1

      b3e9a125688e9da67708adfcada41bb56de2cd3d

    • SHA256

      b45b4ee4146fc230dc6ea93a1af252314acc9b4adab82f36103e8f782589983d

    • SHA512

      67e3bdc6c8db9ed127dc0a7a0fcb431a7294fd8daf77fe6ce4042a3cb63b9576130f1d3b3aee665dc16c1de4ede96ed7976789e63a4d61178c631d3d76e06138

    Score
    10/10
    dcratinfostealerpersistenceratsuricata

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • suricata: ET MALWARE DCRAT Activity (GET)

      suricata: ET MALWARE DCRAT Activity (GET)

      suricata

    • Executes dropped EXE

    • Deletes itself

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks