Overview

overview

10

Static

static

1

7afbf498fc...33.exe

windows7-x64

10

7afbf498fc...33.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    718c1a4f0cdacf94d4d6ad97e06a459f.bin

  • Size

    10.0MB

  • Sample

    230322-bx2hqaeb56

  • MD5

    44455c29a6cda31fe83c711574fae061

  • SHA1

    93b208731aaf0881eeaf83ada51f0b05e389f3a4

  • SHA256

    442e9da5b83a8273d33a95a6cdbe4d6fc9c38fd95f87a007025d959891e7346a

  • SHA512

    e354a08a4bebb4d302b5d5acd300be9ed0d983af24678c8b41306fdfc437697c2c5c50cab9529240e0d4b1ca221437ee6029c44acbe73fc563c609e2af3e34ff

  • SSDEEP

    196608:Vm6QJBNHlU1Q7vGJQ+PkzbzQ7ydqLY/WXRwwNBtoLc1fh2A4z368YV:Vm6Qbr7ui+8Hz8y4ceXR9vQ2h54z3684

Score
10/10
dcratevasioninfostealerratspywarestealer

Malware Config

Targets

    • Target

      7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe

    • Size

      10.0MB

    • MD5

      718c1a4f0cdacf94d4d6ad97e06a459f

    • SHA1

      f7ea9a4f39e415c15ef563ecd4f381013e52d3a7

    • SHA256

      7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033

    • SHA512

      8a3d55db0a4eae644922895e140269f22f8214af875bf3544255bcc1be6b1de9a1274b1dd41cc4ac5826a9ac5e1d8d216994891dc124c01ba722db214652f80e

    • SSDEEP

      196608:2JJ8G/X6v9189c+HzrMyU59NSOWQqA00aWOj/AoDvVq:2JJTCv8cEnMrrNSOhLPOj/Pv

    Score
    10/10
    dcratevasioninfostealerratspywarestealer

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Modifies security service

      evasion

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Stops running service(s)

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks