General

  • Target

    tmp

  • Size

    1MB

  • Sample

    230602-zwjtaaed76

  • MD5

    373992db74a918562686a9e9144ecbbe

  • SHA1

    953c7daaec55cdf106b371b555bc73f83a127b26

  • SHA256

    c17ee50458ad78fb43b23fd8001002cd35bb8effac19ec33091ddadefbc7dcac

  • SHA512

    ddf9af3d9b765708ce9e91f1ba7631f4111202016deae60f0da80026688fd465e9877fe55ec175be0296db153e300188a5aeadd5566b2e72fc8cf0e1bb8a80e4

  • SSDEEP

    24576:U2G/nvxW3Ww0t1urfikuV13mFFkwIuKOaZDIpw6P/KlBrJ/GB+8xNEJnw:UbA30Wiku13qF1jtpwG/KR/YxNEJw

Malware Config

Targets

    • Target

      tmp

    • Size

      1MB

    • MD5

      373992db74a918562686a9e9144ecbbe

    • SHA1

      953c7daaec55cdf106b371b555bc73f83a127b26

    • SHA256

      c17ee50458ad78fb43b23fd8001002cd35bb8effac19ec33091ddadefbc7dcac

    • SHA512

      ddf9af3d9b765708ce9e91f1ba7631f4111202016deae60f0da80026688fd465e9877fe55ec175be0296db153e300188a5aeadd5566b2e72fc8cf0e1bb8a80e4

    • SSDEEP

      24576:U2G/nvxW3Ww0t1urfikuV13mFFkwIuKOaZDIpw6P/KlBrJ/GB+8xNEJnw:UbA30Wiku13qF1jtpwG/KR/YxNEJw

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Tasks