Overview

overview

10

Static

static

10

0b74a99460...69.exe

windows10-1703-x64

10

0b74a99460...69.exe

windows7-x64

10

0b74a99460...69.exe

windows10-2004-x64

10

VinyLauncher.exe

windows10-1703-x64

10

VinyLauncher.exe

windows7-x64

8

VinyLauncher.exe

windows10-2004-x64

10

a2719b1149...56.exe

windows10-1703-x64

10

a2719b1149...56.exe

windows7-x64

10

a2719b1149...56.exe

windows10-2004-x64

10

e6b6a16d17...58.exe

windows10-1703-x64

10

e6b6a16d17...58.exe

windows7-x64

10

e6b6a16d17...58.exe

windows10-2004-x64

10

tmp.exe

windows10-1703-x64

10

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Resubmissions

26-12-2022 00:04

221226-acrmcafe2y 10

26-12-2022 00:03

221226-acfvvafe2x 10

26-12-2022 00:03

221226-ab851acc75 10

26-12-2022 00:03

221226-ab3m8afe2w 10

26-12-2022 00:02

221226-abs4sacc74 10

26-12-2022 00:01

221226-abb59scc72 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    dcrat.zip

  • Size

    18.5MB

  • Sample

    221226-acfvvafe2x

  • MD5

    956a2f758d73f2fad917b2d7b3211c6d

  • SHA1

    5b608536a3097fa93da20fd9e7e1e10ed0c5511e

  • SHA256

    b82f23ee8617e7ad47d7513fe175e7211564eed5442002927a415d7a035da5cf

  • SHA512

    e0ecf94246808f273f84f211581ba476dbd027b36b033b3bbe707b4e3723b6c48b2941704d092af29ff96b577d172f7164dd8da24ec3acdcf3ba9d95d62a8469

  • SSDEEP

    393216:rAwNiXm1VRAwNiXMXTW3ZVxQdUCiRWA69dJsfUEGafVgB+UcSgnutEZ80ZhLC:r1VVR1fTaZ+iGJsfUEGqgB+U05FC

Score
10/10
dcratxmrigdiscoveryevasionexploitinfostealerminerpersistenceratspywarestealertrojanupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://ipinfo.io/ip

Targets

    • Target

      0b74a99460e2b8051d917c392d1079a646435188b84d6998afed2c458bf83a69

    • Size

      1.3MB

    • MD5

      e1e945f04fbbeab2efa06d16d21e4c22

    • SHA1

      54037b5b03272d255ab875b5791f87902c5b9457

    • SHA256

      0b74a99460e2b8051d917c392d1079a646435188b84d6998afed2c458bf83a69

    • SHA512

      61dfbe4d1803ba11f7318b1338343529be925bd84ba107bccb9d7c3f8175a012ea877a613946419f8486cd1c1606d7433c07342278a8c670a5013e999308ae41

    • SSDEEP

      24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2behavioral3

    • Target

      VinyLauncher.exe

    • Size

      160KB

    • MD5

      6260d545ece6e4f04cafc98adf93ff7b

    • SHA1

      5f4f3a9edee92982ba2ff096827fc4da8ecc649a

    • SHA256

      8ddb7cbefe9e072050de7fca61b3db887abfdae8bc4f06ffca6446fac3c8c10f

    • SHA512

      c80d7b4bf465a43b1a6a1168105ad96b866943339ef109283b5105dd44681ed5799e37996ee87bbceccf0f9bf3a9627c97aa660318c1a7e493be61b5e29c722a

    • SSDEEP

      3072:vPw/kZu7QBUiLkFcEdKS2fpp/9eLjEHj9t39cDLztUbkxl:AENBUiLkFcEcS2fppVeLjEHvNcDLzSb

    Score
    10/10
    dcratxmrigevasioninfostealerminerratupx

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Modifies security service

      evasion

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • XMRig Miner payload

      miner

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Stops running service(s)

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral4behavioral5behavioral6

    • Target

      a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56

    • Size

      1.7MB

    • MD5

      c090c2077f7c71e38f4b7fedfe0ef1e3

    • SHA1

      2d01b3e7f9f80961aa6bada443a5d969bf88c052

    • SHA256

      a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56

    • SHA512

      150d46cd92ab52985ee1cfa197ecfb50fe83c3d7070b99ffd187e72582b6b539e63edb990dc820882a900f446512c391557848568c35d57382abb48207e0d028

    • SSDEEP

      24576:U2G/nvxW3Ww0tjWmsIUvGdf4wNKfgo9WB4E/rR9NVGIoUtcrneDa0kPs/MQdb6Of:UbA30jW9vgwrng9EIZyqa0esNnN5P

    Score
    10/10
    dcratinfostealerratspywarestealer

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware
    behavioral7behavioral8behavioral9

    • Target

      e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458

    • Size

      1.3MB

    • MD5

      adde6baef89ebb01b5e60f15610ba470

    • SHA1

      edc49b43aa822b754ee617db11c3ffc1a3e79ec1

    • SHA256

      e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458

    • SHA512

      89ebfaafca6347cced23fd73aee44483118d4806c339048df9ba9da5f775f84ce6b6876a8399617abfbf1ae23cfd0b78825f85f50efdcc2c9e3c88cb8e122a30

    • SSDEEP

      24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    behavioral10behavioral11behavioral12

    • Target

      tmp

    • Size

      15.7MB

    • MD5

      b27e540aef37c99f3cfd2766c2e61784

    • SHA1

      c516b74daec17d1bc788c54433cf10899ee07e92

    • SHA256

      28ebd60f492ca0957ac7ab3fdbcd8262966dee60dbec71d6bcac8d7efaf65479

    • SHA512

      641d5daaef91d535f279ce7fea1f7c8b50ba87040480602e51951dfc2f3345699d3161d38b1b2ab7b3d4fbbcc56e0d597f125ed65ea3971df4888cb4a63897cd

    • SSDEEP

      393216:XhBqJ0CE8/eXkkM7cGGBNpuXU8ysXVqNIyc2KBcr27eEHTPX:RBe0CiMihuXU8yYqNIygdrX

    Score
    10/10
    dcratdiscoveryevasionexploitinfostealerpersistencerattrojan

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Modifies WinLogon for persistence

      persistence

    • Modifies security service

      evasion

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Executes dropped EXE

    • Possible privilege escalation attempt

      exploit

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral13behavioral14behavioral15

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

5
T1053

Persistence

Scheduled Task

5
T1053

Modify Existing Service

3
T1031

Winlogon Helper DLL

1
T1004

Account Manipulation

1
T1098

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Scheduled Task

5
T1053

Defense Evasion

Modify Registry

7
T1112

Impair Defenses

1
T1562

Install Root Certificate

2
T1130

File Permissions Modification

1
T1222

Disabling Security Tools

1
T1089

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

6
T1012

System Information Discovery

10
T1082

Process Discovery

1
T1057

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

3
T1102

Impact

Service Stop

1
T1489

Tasks

static1

ratdcrat
Score
10/10

behavioral1

dcratinfostealerrat
Score
10/10

behavioral2

dcratinfostealerrat
Score
10/10

behavioral3

dcratinfostealerrat
Score
10/10

behavioral4

dcratxmrigevasioninfostealerminerratupx
Score
10/10

behavioral5

Score
8/10

behavioral6

dcratevasioninfostealerrat
Score
10/10

behavioral7

dcratinfostealerratspywarestealer
Score
10/10

behavioral8

dcratinfostealerratspywarestealer
Score
10/10

behavioral9

dcratinfostealerratspywarestealer
Score
10/10

behavioral10

dcratinfostealerrat
Score
10/10

behavioral11

dcratinfostealerrat
Score
10/10

behavioral12

dcratinfostealerrat
Score
10/10

behavioral13

dcratdiscoveryevasionexploitinfostealerpersistencerattrojan
Score
10/10

behavioral14

dcratdiscoveryevasionexploitinfostealerpersistencerattrojan
Score
10/10

behavioral15

dcratdiscoveryexploitinfostealerpersistencerat
Score
10/10