Overview

overview

10

Static

static

10

25bc30afa6...52.exe

windows7-x64

10

25bc30afa6...52.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7fbdb2f5c7830894d0436a8291e1231f.bin

  • Size

    239KB

  • Sample

    230130-xlqgzadc3t

  • MD5

    d933a2fb580dfbe584a1d7ab88a58a2b

  • SHA1

    a9b39cdca491e29933e9744f132880bd043f1d54

  • SHA256

    f729b1f245206764aec8b16491884978effc91030735430d5d906c06c4761a5c

  • SHA512

    92c30c2dcc3fbcf5e7740bd3bfb101ae6b77663ef60ec58452ee8365d55b61a374eaab8d02bce511290429c80ea7a5edf40d74b0208a4411105c5c2e3ee1f28b

  • SSDEEP

    6144:Wmj1EXVzGH36sRRlt2DgUr7omqjpTS6EeNx:b1EFaH9RyxtqlG6NL

Score
10/10
dcratinfostealerpersistencerat

Malware Config

Targets

    • Target

      25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe

    • Size

      532KB

    • MD5

      7fbdb2f5c7830894d0436a8291e1231f

    • SHA1

      22a13d9bacb8dcf04eb0260999f75fed68d21d0a

    • SHA256

      25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152

    • SHA512

      186f41e9bf79dd0e3711c95d2a73ac734efe83b2321f4f5cd920bf21e95c4075829780d91adbce471335a76cc786a68d8162447b6032465def9d54e8e6b36c1d

    • SSDEEP

      12288:KqnOG4bunLVYAN2ehGtdd3vzQ2JzgW8Lntk:K+OG4bcYAnhGl3U2Jz

    Score
    10/10
    dcratinfostealerpersistencerat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Modifies WinLogon for persistence

      persistence

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks