Overview

overview

10

Static

static

Wasabi-2.0...64.exe

windows7-x64

10

Wasabi-2.0...64.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Wasabi-2.0.0-windows-x64.zip

  • Size

    80.1MB

  • Sample

    230111-npckvafg8x

  • MD5

    2cbfd51c9361d4365d172fe3df3216c4

  • SHA1

    92d443091e30388a5da3d520b3727a76677f2747

  • SHA256

    9b0abab903b2ed566821a42698e80ef913aed05cfff27a4401c6bafdb57967c8

  • SHA512

    7920b4de60292eb49a2d1952bed7f73823ba5e0d0bdf3a274583f6640d874e896c5989491c65c91e184cb0401ed55714efa0056ca8922994b5ef00bd43d1052c

  • SSDEEP

    1572864:KMZOxvtMwIGpwaysUE69BN2/THzGDsXhH7yRhVIbJCTQHm540Tm7q2e+V3Uvokuu:rc7Ieyo69BQriDC9yrVTTQG5K7VeLJuu

Score
10/10
dcratevasioninfostealerrattrojan

Malware Config

Targets

    • Target

      Wasabi-2.0.0-windows-x64.exe

    • Size

      80.2MB

    • MD5

      d891a0dd3031ba640ad4ac38e637193d

    • SHA1

      aa8d36b8b0df86458c4c2c584209938bfd2a21ff

    • SHA256

      cabfd8d8f97582b86787a83a1dee4446d0f2e3ba4f346884c5cd6e242b61df78

    • SHA512

      cd4e2db41df7a843a5bc1fa8cb0ac9778ffe315311aa19a84c1e36e122af38ff6e61d3bbe26582f508c1ecfc36b5df2a2f988ed1450d4e7c10499c319c130a6d

    • SSDEEP

      1572864:fm9oNpXGKGC5kSQUwOy5NpYpnFzGl4vBzDKBbRUfJUNQxup00Hc1q8ACfH85Ckwq:e6ZG+Qoy5NoFilK9KJRxNQgv81/Apnwq

    Score
    10/10
    evasiontrojandcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Deletes Windows Defender Definitions

      Uses mpcmdrun utility to delete all AV definitions.

      evasion

    • Modifies Windows Defender notification settings

      evasiontrojan

    • UAC bypass

      evasiontrojan

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Scheduled Task

1
T1053

Persistence

Modify Existing Service

2
T1031

Scheduled Task

1
T1053

Privilege Escalation

Bypass User Account Control

1
T1088

Scheduled Task

1
T1053

Defense Evasion

Impair Defenses

1
T1562

Modify Registry

4
T1112

Disabling Security Tools

3
T1089

Bypass User Account Control

1
T1088

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks