Overview

overview

10

Static

static

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    tmp

  • Size

    15.7MB

  • Sample

    221203-fqegtsbc6t

  • MD5

    5c9360467aba93db8eaa351b62b93afc

  • SHA1

    cef8b31d41b2eb3bd1c1454a96afc43911db85ab

  • SHA256

    b49c294afa4366bf02faccce77dedf2c9ba3d4aa4073c13fe22bd202821d94e6

  • SHA512

    133dc14f6df1d898e968a09d4a60a32345a252031f57bb250674b98b38e338170f9b3e88b00c88acd5f7a3da72d58a078ae52b175af0c6e41e4ccc72f93538cb

  • SSDEEP

    393216:U81/eXkkM7cGGBNpuXKhBqJ0CEZsXVqNIyc2KBcr27eEHTPI:U86MihuXCBe0CEYqNIygdrI

Score
10/10
dcratdiscoveryexploitinfostealerrat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://45.81.224.130/any.exe

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://ipinfo.io/ip

Targets

    • Target

      tmp

    • Size

      15.7MB

    • MD5

      5c9360467aba93db8eaa351b62b93afc

    • SHA1

      cef8b31d41b2eb3bd1c1454a96afc43911db85ab

    • SHA256

      b49c294afa4366bf02faccce77dedf2c9ba3d4aa4073c13fe22bd202821d94e6

    • SHA512

      133dc14f6df1d898e968a09d4a60a32345a252031f57bb250674b98b38e338170f9b3e88b00c88acd5f7a3da72d58a078ae52b175af0c6e41e4ccc72f93538cb

    • SSDEEP

      393216:U81/eXkkM7cGGBNpuXKhBqJ0CEZsXVqNIyc2KBcr27eEHTPI:U86MihuXCBe0CEYqNIygdrI

    Score
    10/10
    dcratinfostealerratdiscoveryexploit

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Executes dropped EXE

    • Possible privilege escalation attempt

      exploit

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Account Manipulation

1
T1098

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

File Permissions Modification

1
T1222

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Process Discovery

1
T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks