Overview

overview

10

Static

static

10

start.exe

windows10-2004-x64

10

Resubmissions

29-06-2023 02:34

230629-c2eeescf8t 10

29-06-2023 02:03

230629-cg2n8abg25 10

29-06-2023 01:48

230629-b8lxeabf84 10

29-06-2023 01:36

230629-b1mhzabf53 10

29-06-2023 01:28

230629-bv1teabf34 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    start.exe

  • Size

    25.6MB

  • Sample

    230629-b1mhzabf53

  • MD5

    1d3109b5fd18c5b952c9bf53e34626bf

  • SHA1

    5f99c686810d651e2ccd1402fa9467919ee4dfaf

  • SHA256

    076cde745b613056fb28beaf307523b4cf9762fd214ca56b336a7318b1d3ff7f

  • SHA512

    f60534e6bb612777a5bff2a02e39562d1b2105ae46fe686d64b336d23ecfe2be5dccb6f96b3ef039d473f1279371e7fecf89c01cab53c5c19f6aeae5c8a51aa6

  • SSDEEP

    393216:vKnrhkWQETjdQuslSq9RoWOv+9qDgqmJm1U0B+Ce/Fqyf/gsa9f:vKnrvQgjdQuSborvSfqmJmC0BHe42o

Score
10/10
dcratevasioninfostealerpersistencepyinstallerratspywarestealertrojanupx

Malware Config

Targets

    • Target

      start.exe

    • Size

      25.6MB

    • MD5

      1d3109b5fd18c5b952c9bf53e34626bf

    • SHA1

      5f99c686810d651e2ccd1402fa9467919ee4dfaf

    • SHA256

      076cde745b613056fb28beaf307523b4cf9762fd214ca56b336a7318b1d3ff7f

    • SHA512

      f60534e6bb612777a5bff2a02e39562d1b2105ae46fe686d64b336d23ecfe2be5dccb6f96b3ef039d473f1279371e7fecf89c01cab53c5c19f6aeae5c8a51aa6

    • SSDEEP

      393216:vKnrhkWQETjdQuslSq9RoWOv+9qDgqmJm1U0B+Ce/Fqyf/gsa9f:vKnrvQgjdQuSborvSfqmJmC0BHe42o

    Score
    10/10
    dcratevasioninfostealerpersistencepyinstallerratspywarestealertrojanupx

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Disables Task Manager via registry modification

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Windows security modification

      evasiontrojan

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks