Overview

overview

10

Static

static

10

084edc7b54...42.exe

windows7-x64

10

084edc7b54...42.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    084edc7b5451c4e18a20ca7982787742.exe

  • Size

    1.4MB

  • Sample

    220829-ee283scdd5

  • MD5

    084edc7b5451c4e18a20ca7982787742

  • SHA1

    0c9899f2b4b46bfd903ce96b0c73899e6ba6952d

  • SHA256

    d94aec0bdc801cd7cad261af02d7ed8f171374b1fbd101449013c2d166dc07ce

  • SHA512

    c3c45b858524d0010f2f9124f6cdc01de1f5e1100c41914fbb9c9150c7d98840d7c0d18a4b976e74bc289654485b2fc8aaa0a8246d3e27ab3dd0e6c42728305f

  • SSDEEP

    24576:xJiN7JdiObNHEnToSiqX4uKlyz/hQQ6c0gJgkKrM7cCFm:xJUJoKEn9iSKlkW9ekCRF

Score
10/10
dcratdiscoveryevasionexploitinfostealerratspywarestealertrojan

Malware Config

Targets

    • Target

      084edc7b5451c4e18a20ca7982787742.exe

    • Size

      1.4MB

    • MD5

      084edc7b5451c4e18a20ca7982787742

    • SHA1

      0c9899f2b4b46bfd903ce96b0c73899e6ba6952d

    • SHA256

      d94aec0bdc801cd7cad261af02d7ed8f171374b1fbd101449013c2d166dc07ce

    • SHA512

      c3c45b858524d0010f2f9124f6cdc01de1f5e1100c41914fbb9c9150c7d98840d7c0d18a4b976e74bc289654485b2fc8aaa0a8246d3e27ab3dd0e6c42728305f

    • SSDEEP

      24576:xJiN7JdiObNHEnToSiqX4uKlyz/hQQ6c0gJgkKrM7cCFm:xJUJoKEn9iSKlkW9ekCRF

    Score
    10/10
    dcratevasioninfostealerrattrojandiscoveryexploitspywarestealer

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Modifies security service

      evasion

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      evasiontrojan

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Possible privilege escalation attempt

      exploit

    • Stops running service(s)

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

2
T1031

Scheduled Task

1
T1053

Privilege Escalation

Bypass User Account Control

1
T1088

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

4
T1112

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Impair Defenses

1
T1562

File Permissions Modification

1
T1222

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Service Stop

1
T1489

Tasks