Overview

overview

10

Static

static

3

c642f9a142...f3.exe

windows7-x64

10

c642f9a142...f3.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c642f9a142a0c2f9c34ba9b302dc88af2df41db5b9c875e26d39572a67f61cf3

  • Size

    3.3MB

  • Sample

    240603-d3tfeaba92

  • MD5

    060acdb9ab659883f1d74c40fc5d6c4b

  • SHA1

    f6ede67bf171dcc87fc8c49dadbb9c05b2f3838c

  • SHA256

    c642f9a142a0c2f9c34ba9b302dc88af2df41db5b9c875e26d39572a67f61cf3

  • SHA512

    a8ef346f9cf58efb9b2bed08102e02033ce7b69b6403a9dd6044824f9a1c7723dde69453f3267b1e8395e1db0e1530c05609e2f04eb739bbc57cf376e4e638ab

  • SSDEEP

    49152:gJ4Neo2O0+nNLfCDPRRelHdti+EwbBjebd+g0Uuqhv5GWJLJV4dwpk:gJ4Pn0+nNLfuReJdtijwb5ebLSWxGg4/

Score
10/10
dcratbootkitevasioninfostealerpersistenceratspywarestealertrojan

Malware Config

Targets

    • Target

      c642f9a142a0c2f9c34ba9b302dc88af2df41db5b9c875e26d39572a67f61cf3

    • Size

      3.3MB

    • MD5

      060acdb9ab659883f1d74c40fc5d6c4b

    • SHA1

      f6ede67bf171dcc87fc8c49dadbb9c05b2f3838c

    • SHA256

      c642f9a142a0c2f9c34ba9b302dc88af2df41db5b9c875e26d39572a67f61cf3

    • SHA512

      a8ef346f9cf58efb9b2bed08102e02033ce7b69b6403a9dd6044824f9a1c7723dde69453f3267b1e8395e1db0e1530c05609e2f04eb739bbc57cf376e4e638ab

    • SSDEEP

      49152:gJ4Neo2O0+nNLfCDPRRelHdti+EwbBjebd+g0Uuqhv5GWJLJV4dwpk:gJ4Pn0+nNLfuReJdtijwb5ebLSWxGg4/

    Score
    10/10
    dcratbootkitevasioninfostealerpersistenceratspywarestealertrojan

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Detects executables containing bas64 encoded gzip files

    • Detects executables packed with SmartAssembly

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks whether UAC is enabled

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks