General

  • Target

    test.exe

  • Size

    1MB

  • Sample

    220521-q34ycshed2

  • MD5

    abbb100af637fd20536e63f9ebe72eba

  • SHA1

    4538c638950bfdf57311f86140b9819649af1112

  • SHA256

    f06e8c2cbfa1da33e3e08eb79315d3eb9efc6fa916184df036a581dcd6a08165

  • SHA512

    8b098c002c24321b8d25a867e5b7e2964e9941274e0bc9fdf42441892305a9a96abfbbda1b90e6874784021ed01d04d279f2c4a583ae719186c6429293f46004

Malware Config

Targets

    • Target

      test.exe

    • Size

      1MB

    • MD5

      abbb100af637fd20536e63f9ebe72eba

    • SHA1

      4538c638950bfdf57311f86140b9819649af1112

    • SHA256

      f06e8c2cbfa1da33e3e08eb79315d3eb9efc6fa916184df036a581dcd6a08165

    • SHA512

      8b098c002c24321b8d25a867e5b7e2964e9941274e0bc9fdf42441892305a9a96abfbbda1b90e6874784021ed01d04d279f2c4a583ae719186c6429293f46004

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • suricata: ET MALWARE DCRAT Activity (GET)

      suricata: ET MALWARE DCRAT Activity (GET)

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

2
T1005

Tasks