Overview

overview

10

Static

static

b0fdb67b70...2e.exe

windows7-x64

6

b0fdb67b70...2e.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b0fdb67b7034d43be60f80a2ba12bb2e.exe

  • Size

    1.8MB

  • Sample

    230117-13x5xsdd6v

  • MD5

    b0fdb67b7034d43be60f80a2ba12bb2e

  • SHA1

    1d1c2ad7442809558ac1213013a4e475381f32c0

  • SHA256

    5fc77394fd32986a32fe00746df98db40d11fb240cb6646513aec9157e104ff3

  • SHA512

    c63f955cfe434ea18b25a2d7d519acb8635b0c299b81dde939a51ef2cc18ebf3502083e4b0cd8ea7362f3726b00ef67ee8d6ab2a48908b1a2b82085a2ccd7c62

  • SSDEEP

    24576:NzdI/9AP+8KrCL3EZ3xHEv/fpeE7mV8dseWXaPDrwa0uporxWgLiP6S+ig5mG+GJ:raKU5xHEv/fgd8OwQuIGJ

Score
10/10
dcratinfostealerpersistenceratspywarestealer

Malware Config

Targets

    • Target

      b0fdb67b7034d43be60f80a2ba12bb2e.exe

    • Size

      1.8MB

    • MD5

      b0fdb67b7034d43be60f80a2ba12bb2e

    • SHA1

      1d1c2ad7442809558ac1213013a4e475381f32c0

    • SHA256

      5fc77394fd32986a32fe00746df98db40d11fb240cb6646513aec9157e104ff3

    • SHA512

      c63f955cfe434ea18b25a2d7d519acb8635b0c299b81dde939a51ef2cc18ebf3502083e4b0cd8ea7362f3726b00ef67ee8d6ab2a48908b1a2b82085a2ccd7c62

    • SSDEEP

      24576:NzdI/9AP+8KrCL3EZ3xHEv/fpeE7mV8dseWXaPDrwa0uporxWgLiP6S+ig5mG+GJ:raKU5xHEv/fgd8OwQuIGJ

    Score
    10/10
    persistencedcratinfostealerratspywarestealer

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks