Overview

overview

10

Static

static

a77873bfea...a3.exe

windows7_x64

10

a77873bfea...a3.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a77873bfea27896f94731478d64541a3.exe

  • Size

    873KB

  • Sample

    220209-d5xwlshba2

  • MD5

    a77873bfea27896f94731478d64541a3

  • SHA1

    9d9596b12d51e06dd1c509c3df0cb7432fb60156

  • SHA256

    0c70ff796c9a6c8e20437dcd29e1be3951ac7dae8bc0e75bbbae5b710c6be70e

  • SHA512

    34c94a9e432bb0d4e2154ca80d2a42bb47e4a3ff29a5ecb9d24eb4db235a3dfb7e6c532edb05bcb4a1e299c4b040e39d2c0eeeac8593e7b0babcdaf834e49a0e

Score
10/10
dcratinfostealerpersistencerat

Malware Config

Targets

    • Target

      a77873bfea27896f94731478d64541a3.exe

    • Size

      873KB

    • MD5

      a77873bfea27896f94731478d64541a3

    • SHA1

      9d9596b12d51e06dd1c509c3df0cb7432fb60156

    • SHA256

      0c70ff796c9a6c8e20437dcd29e1be3951ac7dae8bc0e75bbbae5b710c6be70e

    • SHA512

      34c94a9e432bb0d4e2154ca80d2a42bb47e4a3ff29a5ecb9d24eb4db235a3dfb7e6c532edb05bcb4a1e299c4b040e39d2c0eeeac8593e7b0babcdaf834e49a0e

    Score
    10/10
    dcratinfostealerpersistencerat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks