dcrat

General

Target

LegacyPhasmo.rar
Size

634KB
Sample

240603-lwsjjaaf4z
MD5

b2800c86cdb04d471af2a27f3f7e416a
SHA1

1869929454f4d0b05fb4f51d1983e30be17a28ab
SHA256

ac8a08a5dd79ab90a206fe5f79c6d0982a3d9f21ea23daae9e0a04a0edd65892
SHA512

2d0e779995ad70a6d3176bf1a23a2d3b491f107b57ab4e768dcab3fa6fb1fd908e730a9e84b920727166950164ac68c5f6a4417276e35e7b2f23dafb056ed731
SSDEEP

12288:oEKaaOVozcA11bqV5kJPU/HJOoP84EaLROyu5718CSJo3oLcgsa6Tp5Q5:L+zPebkiPJOoP35s1h8Zo8R695E

Score

10^/10

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1239969504654655528/VeqtFqysqjPq1RBqiaPnt8f3X7OZKPfU8tkQRyN212Fwc2hm58OjrMT9W-FnzCFUxfPD

Targets

- Target
  
  LegacyPhasmo/LegacyPhasmo.exe
- Size
  
  495KB
- MD5
  
  85946e8adc17bed93bb80005f2caabe7
- SHA1
  
  b7941993fc3c58a9a42296b82e43f0988feb2ed9
- SHA256
  
  649683f80b00b62ba0979634a6935088637e8b12f91ef8260dfaafa4840d6555
- SHA512
  
  331cc3635905ff7673f545c7570cbaae1fa7a7b5637a610d1ce801929d67b527e88cb1e453aa4b1c402ea2565e0e5fa6729d822d38527a6bd8f8e84348c6e51c
- SSDEEP
  
  6144:vloZM+rIkd8g+EtXHkv/iD42LM3t74sziKrd4UB8Fb8e1mgi04OA:NoZtL+EP82LM3t74sziKrd4UBsa00
Score

10^/10

umbral stealer execution spyware
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2
- Target
  
  LegacyPhasmo/start.bat
- Size
  
  1.1MB
- MD5
  
  7002fdc4d02a4ed4a5a6f56bc40efcef
- SHA1
  
  cef5ea6d5507392e4fd5cb9511160f4882b4d8b8
- SHA256
  
  6fddd93899ba0f1de262aa86d1e7f4ed3df8b29e9d2b9679d42b5a81addea6f4
- SHA512
  
  d5859012071a604563d96c8cffb9a5f12ae5a085b0160d3e90de140bd50c752d97287c1810140d72bf2404880fecd8332a458005e5e8052f5ad74cf11f12a538
- SSDEEP
  
  24576:U2G/nvxW3Ww0t6eSgFX3x5aC6FRMzpC6nHZW/n:UbA306e9FTtYeP0P
Score

10^/10

dcrat infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral3 behavioral4