Overview

overview

10

Static

static

10

a2719b1149...56.exe

windows7-x64

10

a2719b1149...56.exe

windows10-2004-x64

10

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

e6b6a16d17...58.exe

windows7-x64

10

e6b6a16d17...58.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    11def98517c93e2a955df827ed88a3a2.bin

  • Size

    18.7MB

  • Sample

    230116-xms99abf84

  • MD5

    11def98517c93e2a955df827ed88a3a2

  • SHA1

    12d175a93a7b161bd8d4d6b489e95f15e34ad283

  • SHA256

    9a9ac0169117b67557d8ba9932d908df0df543542a649e16db365c2c4d9829cb

  • SHA512

    de189488e83e72ec79829325454584b452f3ebec54f81f9de804e590bd8e6f086c7709d504cc2b4e8a4e16fa27e64eedda963c51a60440bb71a9a842d8bd4130

  • SSDEEP

    393216:A2lbkeGJYGzcQBWCZ5rbfo0yAoRu0fDzsg4wTIxxqFSGUpDjC4RXBLs8nt0n:AZeGJR3IqWA+7zF4wTHYGUplBLsf

Score
10/10
dcratdiscoveryevasionexploitinfostealerpersistencerattrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://45.81.224.130/any.exe

Targets

    • Target

      a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56

    • Size

      1.7MB

    • MD5

      c090c2077f7c71e38f4b7fedfe0ef1e3

    • SHA1

      2d01b3e7f9f80961aa6bada443a5d969bf88c052

    • SHA256

      a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56

    • SHA512

      150d46cd92ab52985ee1cfa197ecfb50fe83c3d7070b99ffd187e72582b6b539e63edb990dc820882a900f446512c391557848568c35d57382abb48207e0d028

    • SSDEEP

      24576:U2G/nvxW3Ww0tjWmsIUvGdf4wNKfgo9WB4E/rR9NVGIoUtcrneDa0kPs/MQdb6Of:UbA30jW9vgwrng9EIZyqa0esNnN5P

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    behavioral1behavioral2

    • Target

      tmp

    • Size

      15.7MB

    • MD5

      5c9360467aba93db8eaa351b62b93afc

    • SHA1

      cef8b31d41b2eb3bd1c1454a96afc43911db85ab

    • SHA256

      b49c294afa4366bf02faccce77dedf2c9ba3d4aa4073c13fe22bd202821d94e6

    • SHA512

      133dc14f6df1d898e968a09d4a60a32345a252031f57bb250674b98b38e338170f9b3e88b00c88acd5f7a3da72d58a078ae52b175af0c6e41e4ccc72f93538cb

    • SSDEEP

      393216:U81/eXkkM7cGGBNpuXKhBqJ0CEZsXVqNIyc2KBcr27eEHTPI:U86MihuXCBe0CEYqNIygdrI

    Score
    10/10
    dcratdiscoveryevasionexploitinfostealerrattrojanpersistence

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Modifies WinLogon for persistence

      persistence

    • Modifies security service

      evasion

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Possible privilege escalation attempt

      exploit

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    behavioral3behavioral4

    • Target

      tmp

    • Size

      1.1MB

    • MD5

      1466f001f010dfed5838484c2fb25a56

    • SHA1

      489c707fd9d43574e536b4da4f15d3965d57c2fc

    • SHA256

      d3c18746bd2a2cb25e714a40be7a3e94d5bab0d924db7160ef8cc82a7f0848bc

    • SHA512

      35fb65a70892c86f3e8ae97e84648d089e7bad8ff567503d2322d24fbee953a7ccef49611c8e4ad98b29cd0b926699a48d11a10c189e7e903dcb529ed23a75e0

    • SSDEEP

      12288:4epPM2lx+HOqRo1lEBht1ylUyeewN3eJE3/oZ4DFWX4DBYFn9ducCSLEelT+wsHu:X0Vey/Olg5pwZesvCStZsbqSNz6

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458

    • Size

      1.3MB

    • MD5

      adde6baef89ebb01b5e60f15610ba470

    • SHA1

      edc49b43aa822b754ee617db11c3ffc1a3e79ec1

    • SHA256

      e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458

    • SHA512

      89ebfaafca6347cced23fd73aee44483118d4806c339048df9ba9da5f775f84ce6b6876a8399617abfbf1ae23cfd0b78825f85f50efdcc2c9e3c88cb8e122a30

    • SSDEEP

      24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    behavioral7behavioral8

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

4
T1053

Persistence

Scheduled Task

4
T1053

Winlogon Helper DLL

1
T1004

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Scheduled Task

4
T1053

Defense Evasion

Modify Registry

4
T1112

File Permissions Modification

1
T1222

Disabling Security Tools

1
T1089

Credential Access

Discovery

Query Registry

5
T1012

System Information Discovery

8
T1082

Process Discovery

1
T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks