Overview

overview

10

Static

static

3

fdbe495723...5a.exe

windows7-x64

7

fdbe495723...5a.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fdbe49572379a183c6cd1ea7f47a9d0b4d84dddb6a9b7b7b63af0b2828c25e5a

  • Size

    1.6MB

  • Sample

    230612-3l3p7aeb87

  • MD5

    ed6058f48136844f74532fa1f04847df

  • SHA1

    5af64b0ac026e8f0eefe963c3041f6f988d4a7fa

  • SHA256

    fdbe49572379a183c6cd1ea7f47a9d0b4d84dddb6a9b7b7b63af0b2828c25e5a

  • SHA512

    1f499f10e5e04cc0e3f5c0f7396e97b7213d270f3c70b2de420653f5a9c9e7cfbb076f80bc1fe113c4ad627848d5f6babca5f1cf1ddcf2e0ee78b7e7a3f0892a

  • SSDEEP

    49152:m1PixHoD837gw7jtXEC3h6j0AKnudlmW:m1qqyLftTh2DR

Score
10/10
dcratinfostealerrat

Malware Config

Targets

    • Target

      fdbe49572379a183c6cd1ea7f47a9d0b4d84dddb6a9b7b7b63af0b2828c25e5a

    • Size

      1.6MB

    • MD5

      ed6058f48136844f74532fa1f04847df

    • SHA1

      5af64b0ac026e8f0eefe963c3041f6f988d4a7fa

    • SHA256

      fdbe49572379a183c6cd1ea7f47a9d0b4d84dddb6a9b7b7b63af0b2828c25e5a

    • SHA512

      1f499f10e5e04cc0e3f5c0f7396e97b7213d270f3c70b2de420653f5a9c9e7cfbb076f80bc1fe113c4ad627848d5f6babca5f1cf1ddcf2e0ee78b7e7a3f0892a

    • SSDEEP

      49152:m1PixHoD837gw7jtXEC3h6j0AKnudlmW:m1qqyLftTh2DR

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks