Overview

overview

10

Static

static

10

HEUR-Troja...52.exe

windows7-x64

10

HEUR-Troja...52.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe

  • Size

    1.5MB

  • Sample

    230116-vmd48aeb71

  • MD5

    413be497be904c09aa8bfe8f0182a949

  • SHA1

    9c5a69c83dbe2629290823d33c0afbce6d37f7bf

  • SHA256

    6cba34b2db52a921c97910d0e3122239c726c993b1d8c0e208f21502cfe20e21

  • SHA512

    01d60225abe49efdade7ca5c79c0c73c22931c837bc4d67703b273c84bc76903d749f75c39e4b17d29a343b53ab77a1b4c90ad9f86a08468a7d0c627439f7bee

  • SSDEEP

    24576:Ut0u6OwrhMEjG9rSVSv52b/1RPc0I+7xPgXJsVUAvu6jFShHpNpV8xH7+4:Uth6l+eGtUvcx+GXJsVXu6jFKpveK

Score
10/10
dcratinfostealerpersistencerat

Malware Config

Targets

    • Target

      HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe

    • Size

      1.5MB

    • MD5

      413be497be904c09aa8bfe8f0182a949

    • SHA1

      9c5a69c83dbe2629290823d33c0afbce6d37f7bf

    • SHA256

      6cba34b2db52a921c97910d0e3122239c726c993b1d8c0e208f21502cfe20e21

    • SHA512

      01d60225abe49efdade7ca5c79c0c73c22931c837bc4d67703b273c84bc76903d749f75c39e4b17d29a343b53ab77a1b4c90ad9f86a08468a7d0c627439f7bee

    • SSDEEP

      24576:Ut0u6OwrhMEjG9rSVSv52b/1RPc0I+7xPgXJsVUAvu6jFShHpNpV8xH7+4:Uth6l+eGtUvcx+GXJsVXu6jFKpveK

    Score
    10/10
    dcratinfostealerpersistencerat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Modifies WinLogon for persistence

      persistence

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks