Overview

overview

10

Static

static

10

New_Recode...zm.exe

windows7-x64

10

New_Recode...zm.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    New_Recodezip_ccKzm.exe

  • Size

    4.1MB

  • Sample

    230521-xnp9zseg2x

  • MD5

    1b86767c8010c15292ab4e908e78c816

  • SHA1

    5406e9382393e5bfbe8ab4e275a15d69b84b3c58

  • SHA256

    0571d4081865390f9eb34752c4cce3eb566271b199eb72669a9c5588b5ea0de7

  • SHA512

    1ffa8861a604882cf9b91675b74e43562164b3e905814c6bb5bb7fa375983ebd89c5731ca6fb49763f4c68e728eb122d4158bac36a6dc9b0efff2b2ffce18256

  • SSDEEP

    98304:hbbrvdAovVzr/11pPnQHdd0ZIc8vC1zKTTU:hZfr/11pP+ddwgvLTU

Score
10/10
dcratinfostealerrat

Malware Config

Targets

    • Target

      New_Recodezip_ccKzm.exe

    • Size

      4.1MB

    • MD5

      1b86767c8010c15292ab4e908e78c816

    • SHA1

      5406e9382393e5bfbe8ab4e275a15d69b84b3c58

    • SHA256

      0571d4081865390f9eb34752c4cce3eb566271b199eb72669a9c5588b5ea0de7

    • SHA512

      1ffa8861a604882cf9b91675b74e43562164b3e905814c6bb5bb7fa375983ebd89c5731ca6fb49763f4c68e728eb122d4158bac36a6dc9b0efff2b2ffce18256

    • SSDEEP

      98304:hbbrvdAovVzr/11pPnQHdd0ZIc8vC1zKTTU:hZfr/11pP+ddwgvLTU

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks