Overview

overview

10

Static

static

ab7fbb991d...d3.exe

windows7_x64

10

ab7fbb991d...d3.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ab7fbb991d61dcb9affcb581c459e9d3.exe

  • Size

    2.3MB

  • Sample

    220209-dy7ggahccq

  • MD5

    ab7fbb991d61dcb9affcb581c459e9d3

  • SHA1

    abe33bd69ac60e2a0b06ed8201d41fb430ff518c

  • SHA256

    493a2547e41f5c448e3638a63a91a3b07950202fb912d187688223eb4081483f

  • SHA512

    edca9ae34af65a69c7b157adfcc17579e6cd2bfe80aef9c05cb7c1534d49992e234ba43ba76987d6d22d020cf47e34e32c2c600b09df1ff49f1055a0d7e0b5cb

Score
10/10
dcratevasioninfostealerpersistencerattrojan

Malware Config

Targets

    • Target

      ab7fbb991d61dcb9affcb581c459e9d3.exe

    • Size

      2.3MB

    • MD5

      ab7fbb991d61dcb9affcb581c459e9d3

    • SHA1

      abe33bd69ac60e2a0b06ed8201d41fb430ff518c

    • SHA256

      493a2547e41f5c448e3638a63a91a3b07950202fb912d187688223eb4081483f

    • SHA512

      edca9ae34af65a69c7b157adfcc17579e6cd2bfe80aef9c05cb7c1534d49992e234ba43ba76987d6d22d020cf47e34e32c2c600b09df1ff49f1055a0d7e0b5cb

    Score
    10/10
    dcratevasioninfostealerpersistencerattrojan

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • UAC bypass

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Bypass User Account Control

1
T1088

Scheduled Task

1
T1053

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Modify Registry

3
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks