Overview

overview

10

Static

static

c4e73a6963...ca.exe

windows7-x64

10

c4e73a6963...ca.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c4e73a6963047ced86ad548cb7a572ca.exe

  • Size

    12.2MB

  • Sample

    230111-f4wchaae72

  • MD5

    c4e73a6963047ced86ad548cb7a572ca

  • SHA1

    9a983d43e8790aed5b205c87a05b034fd468a999

  • SHA256

    2608011bb9bd8b7cd8ddc0790e5a6499e1a1fc53864d832804ebebc4955415bb

  • SHA512

    0d806662c868f25f70aa606bcca49b047509d583047b02c76a50df2f7222c6dcff34f852d6d3dde36f8fb1af6ffafd0cee9cb1c0d258804f631bc31f59391109

  • SSDEEP

    393216:siZNJQxvME6Ek5SUOKsKrdCsSjqx23BUC4:seNaxvMfJkU6odC5jRe

Score
10/10
dcratdiscoveryevasionexploitinfostealerratspywarestealervmprotect

Malware Config

Targets

    • Target

      c4e73a6963047ced86ad548cb7a572ca.exe

    • Size

      12.2MB

    • MD5

      c4e73a6963047ced86ad548cb7a572ca

    • SHA1

      9a983d43e8790aed5b205c87a05b034fd468a999

    • SHA256

      2608011bb9bd8b7cd8ddc0790e5a6499e1a1fc53864d832804ebebc4955415bb

    • SHA512

      0d806662c868f25f70aa606bcca49b047509d583047b02c76a50df2f7222c6dcff34f852d6d3dde36f8fb1af6ffafd0cee9cb1c0d258804f631bc31f59391109

    • SSDEEP

      393216:siZNJQxvME6Ek5SUOKsKrdCsSjqx23BUC4:seNaxvMfJkU6odC5jRe

    Score
    10/10
    dcratdiscoveryevasionexploitinfostealerratspywarestealervmprotect

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Modifies security service

      evasion

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Executes dropped EXE

    • Possible privilege escalation attempt

      exploit

    • Stops running service(s)

      evasion

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

2
T1031

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

3
T1112

Impair Defenses

1
T1562

File Permissions Modification

1
T1222

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Service Stop

1
T1489

Tasks