Overview

overview

10

Static

static

3

LisectAVT_...00.exe

windows7-x64

10

LisectAVT_...00.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    LisectAVT_2403002A_200.exe

  • Size

    3.3MB

  • Sample

    240724-3vn86axgla

  • MD5

    ebf1db324a7e5a4f9dfc3e9731a8a301

  • SHA1

    6e95daa4f46b8b32320c9b3676119233aa72f21f

  • SHA256

    aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba

  • SHA512

    d9456fd19fef61e1557c089ff97e40b8295029fae5903871cd600370464b2a6c6042855771e15f8991b6a05208c64cf3aa654475cbf074578fc6661c3b65b96e

  • SSDEEP

    49152:o8xhCcpCNPulYCFckZHvEdM1jegx7oOCM1Gn72tESduILWMJd33eRkX2EuFgtDGg:NhrChV+cU/NeBPMY72tRR0EuUG

Score
10/10
dcratdiscoveryevasioninfostealerpersistencerattrojan

Malware Config

Targets

    • Target

      LisectAVT_2403002A_200.exe

    • Size

      3.3MB

    • MD5

      ebf1db324a7e5a4f9dfc3e9731a8a301

    • SHA1

      6e95daa4f46b8b32320c9b3676119233aa72f21f

    • SHA256

      aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba

    • SHA512

      d9456fd19fef61e1557c089ff97e40b8295029fae5903871cd600370464b2a6c6042855771e15f8991b6a05208c64cf3aa654475cbf074578fc6661c3b65b96e

    • SSDEEP

      49152:o8xhCcpCNPulYCFckZHvEdM1jegx7oOCM1Gn72tESduILWMJd33eRkX2EuFgtDGg:NhrChV+cU/NeBPMY72tRR0EuUG

    Score
    10/10
    dcratdiscoveryevasioninfostealerpersistencerattrojan

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      evasiontrojan

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

4
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks