Overview

overview

10

Static

static

FortiClien...er.exe

windows7-x64

10

FortiClien...er.exe

windows10-2004-x64

8

Resubmissions

23-11-2022 20:27

221123-y8tnksfc3z 10

23-11-2022 20:15

221123-y1h7wabe89 8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    FortiClientVPNOnlineInstaller.zip

  • Size

    11.0MB

  • Sample

    221123-y8tnksfc3z

  • MD5

    8b38999eb2521144c8d03e754789491b

  • SHA1

    7e127033520b1e2450e775304854dddf11a66538

  • SHA256

    46efa46a07219dd38811c4b39b536c47f8e98f4b61471edb92b485936d19ed6a

  • SHA512

    c520e0697561371f7884c86b4abd091faae253bc79ffe42a62d5ab28633356bd8e418ecf3d5fdee1d22f14d0c5ff71402de24f9c572d96c64b5dff8457fe57cf

  • SSDEEP

    196608:iUh7aJ9eyE+pmJ9E1xPuSet0ogZ9XD9Sd+FSVeZLZeWNklnkVavxWFt0OYQoS:iUw2x9EPO2NdD8d+ccPeWUkwZ6

Score
10/10
dcratdiscoveryevasioninfostealerpersistenceratspywarestealertrojan

Malware Config

Targets

    • Target

      FortiClientVPNOnlineInstaller/FortiClientVPNOnlineInstaller.exe

    • Size

      680.0MB

    • MD5

      04ef98f4529be357048652711b07a229

    • SHA1

      29c83c44525fabdd00975a2d86dc89a57254e427

    • SHA256

      3845e4da0576f1738714186dcf9546174256f8293192010df857955d4bf025af

    • SHA512

      e8d5124166f649e63e2abf09455a168a72fca59da9539cb6145bc3bafb71c4bfb2d0e539b993d2b38f8a19c59014a6512d9ee73981f4a52ad46e5489778b2883

    • SSDEEP

      49152:5IvoPne7uqQd/BAranpu07jFcRqzx21F3B2IoZ+HNCCskbxtOX:5IvoPnVqG/WapuEj+g0H3YJMt1xts

    Score
    10/10
    dcratdiscoveryevasioninfostealerpersistenceratspywarestealertrojan

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      evasiontrojan

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks