General

  • Target

    36debef0fda01710af9b0e7b6d990a37.bin.exe

  • Size

    1MB

  • Sample

    230322-ng2vrsgd96

  • MD5

    36debef0fda01710af9b0e7b6d990a37

  • SHA1

    b74d79014b30d14abbfbc7adac9a9c2a484f51b9

  • SHA256

    5d61d2fe577e2a1feac949e6ee980fc9589e4b9472bc4ae249e5d50371ce0e9a

  • SHA512

    a4fdeb9658b23abf6544344131d2504a72512773f9b041a1c83cee137bb248bf5ab28e11b07d21302fa54660e2eff8fb97f8c3b00d4c7cdee237c237f91befa4

  • SSDEEP

    12288:7EOA56TrfgrfGA3hM6iM8QSArLmMcKDJW0lt6/9y4dne+qR/:o5IErf1hTP8ALrDc0lQ/9y4dne

Malware Config

Targets

    • Target

      36debef0fda01710af9b0e7b6d990a37.bin.exe

    • Size

      1MB

    • MD5

      36debef0fda01710af9b0e7b6d990a37

    • SHA1

      b74d79014b30d14abbfbc7adac9a9c2a484f51b9

    • SHA256

      5d61d2fe577e2a1feac949e6ee980fc9589e4b9472bc4ae249e5d50371ce0e9a

    • SHA512

      a4fdeb9658b23abf6544344131d2504a72512773f9b041a1c83cee137bb248bf5ab28e11b07d21302fa54660e2eff8fb97f8c3b00d4c7cdee237c237f91befa4

    • SSDEEP

      12288:7EOA56TrfgrfGA3hM6iM8QSArLmMcKDJW0lt6/9y4dne+qR/:o5IErf1hTP8ALrDc0lQ/9y4dne

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Panda Stealer payload

    • PandaStealer

      Panda Stealer is a fork of CollectorProject Stealer written in C++.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

2
T1005

Tasks