Overview

overview

10

Static

static

10

dc/10.exe

windows10-2004-x64

10

dc/12.exe

windows10-2004-x64

7

dc/13.exe

windows10-2004-x64

10

dc/15.exe

windows10-2004-x64

8

dc/16.exe

windows10-2004-x64

10

dc/17.exe

windows10-2004-x64

3

dc/19.exe

windows10-2004-x64

10

dc/22.exe

windows10-2004-x64

10

dc/23.exe

windows10-2004-x64

10

dc/3.exe

windows10-2004-x64

10

dc/4.exe

windows10-2004-x64

3

dc/5.exe

windows10-2004-x64

10

dc/6.exe

windows10-2004-x64

10

dc/7.exe

windows10-2004-x64

9

dc/9.exe

windows10-2004-x64

10

Resubmissions

21-08-2024 01:30

240821-bw3pdsxcnq 10

21-08-2024 01:25

240821-bs432sxbjp 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    dc.zip

  • Size

    39.9MB

  • Sample

    240821-bs432sxbjp

  • MD5

    ea08959bd79419ae9f4b8dbf237a7976

  • SHA1

    ec6457ed1a335a5af82afdb0281d882e0fd7d243

  • SHA256

    3e8d98d5d75618970deccaeeae5e39123263ff22db1ae594b08dd4109828c7d1

  • SHA512

    dc7a92059b4828369fbaa85084293c1617f4168769e1dd51fdb8ddc00a72252006d4705560777e1187196b259678bc6caadf73f93e262f41ddbc23e7c88ee7f8

  • SSDEEP

    786432:toF9XHBSeht+r1S0t253cwoSAlE6ijMUjJogwbLqo8WqfjlYSn7QfWK:yF9XBSYARHY537qZQdozb0ZnpK

Score
10/10
dcratgurcumilleniumratcollectioncredential_accessdefense_evasiondiscoveryevasionexecutioninfostealerpersistencepyinstallerratspywarestealertrojanupx

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0%20kb

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendMessage?chat_id=-1002245526003

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-

https://api.telegram.org/bot7457548429:AAGMvKYWjBbGXayEC5uoksRl1i2BIy7ylDg/sendMessage?chat_id=6024388590

https://api.telegram.org/bot7457548429:AAGMvKYWjBbGXayEC5uoksRl1i2BIy7ylDg/getUpdates?offset=-

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%B8Screenshot%20take

Targets

    • Target

      dc/10.exe

    • Size

      1.8MB

    • MD5

      d026e7e452a16da084c5c032c3f2a172

    • SHA1

      96b05fe659c6caea5b15eec47ac5cdf84d256708

    • SHA256

      a7520b219d18099c24df5d666d0dd74b0d3352704feef32a5318de04c179868e

    • SHA512

      75a8e65052214a136d774b0ab87915e48976ed050654f05443f68786c7f7489a7f115666b7782d1c587082e62e80e87a882de58badf59c5974b4fcb99ef59c70

    • SSDEEP

      24576:u2G/nvxW3WieCdJVa0kgItiTuY/HXlJ/6A0k/4lCOHsX/4FxhVc1li1/U2lNGztI:ubA3jdjzyCf194lCRyX+1l8uI

    Score
    10/10
    dcratdiscoveryexecutioninfostealerpersistencerat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1

    • Target

      dc/12.exe

    • Size

      2.1MB

    • MD5

      4b9aec7822904baba250259c724b622c

    • SHA1

      17dc4905dc0af0ebd9ba1c436281330ba1f5843c

    • SHA256

      b08cb69299eea6942c44b9513a0dc817da919c7a4223a9d5db3937eb4191dbf1

    • SHA512

      e4b9e503bad1b98fd075cd1e85d5e610ba5214abdbac0c93b0037eaec95af43d1a2948769d119be1afc3a46ff906518f17ce15697038ba42ea6d1b11b09d6c20

    • SSDEEP

      24576:2TbBv5rUyXVSSgqY99xioaCEwQ90O+mWkGz5Fd11P5bVdYpj1YuUmeFOsHTmZzh8:IBJS5EHWkSNHKt1jZefTiwxqFumQ7H8g

    Score
    7/10
    discovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral2

    • Target

      dc/13.exe

    • Size

      1.2MB

    • MD5

      0e90a6b8ff015b32ace2b13a8bd1f785

    • SHA1

      8bcebbd2697eda52ef176dea6aca4ee72a10d22d

    • SHA256

      b3666fcaa0b2feeefd63d47d4afb9c9bc7ff67be6d255743574ec4ba5b854d44

    • SHA512

      15162684052d2c57954728828113bdf7841b06d59397c0cc98f9770e69240ebe54f272b2a014b5b340a601d9283d275bd8fffb61a9d7f478ef8f25b23fc18474

    • SSDEEP

      24576:U2G/nvxW3Ww0tGpv+kLhpXB40kpvvfIEN0WecEDP3CQHf:UbA30bFfIEiJbCQ/

    Score
    10/10
    dcratcredential_accessdiscoveryexecutioninfostealerratspywarestealer

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral3

    • Target

      dc/15.exe

    • Size

      2.1MB

    • MD5

      b12ef70bcce8e0d04e93376d3b83ca66

    • SHA1

      e39d686a8768f863d8249e756e1bc544cfb605aa

    • SHA256

      b668a49752fb5adf32ae36a41cabb6860edc2c3864d73ed40b2dadef1e23b4d2

    • SHA512

      8c846090213c7aa8a3adbd3b57f404a7b5382fce12c46e8c346251a9d8449f8ba68b3dab4cd4db9dd7a7451529fcad785c63946bc9dd6ec1b348a8ea112733be

    • SSDEEP

      24576:2TbBv5rUyXVXp1K75ksCRm9INpUlHmZ4VF2mmPh2MluvAE/m7PYhWzeJTvXOJ5+C:IBJXZssNylGK2qn/mzYhWzuTvXtqyG

    Score
    8/10
    discoveryexecution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral4

    • Target

      dc/16.exe

    • Size

      2.1MB

    • MD5

      7463afed528fc46f2ec9fa4fbe521161

    • SHA1

      e635026d8642c6460152371b8a2a2cc95c93aeee

    • SHA256

      d47573bf5a75f99f0a9dc5558b81fe5fd62dd78306dd62ef2869f0107ec885af

    • SHA512

      4ac2da7664cb6b6dc441dee912d0dfc16652d486bc78fdc609ad5d611d3478af36eab050825e548500f14a09b6b365c55c227e1bcecc15ff5fef7a4bf90de605

    • SSDEEP

      49152:IBJa3BXSZ9+EPrG7jyWXQptPCzBY7/FYttV4xTRtZwI:yM3BXPGrcyWXQQZttuxNwI

    Score
    10/10
    discoverypersistence

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral5

    • Target

      dc/17.exe

    • Size

      1.5MB

    • MD5

      59d9d9c84e967626ca147c2ddc90908d

    • SHA1

      de77c09047ffef8f9d5de414ba0a8afc7dae5e7f

    • SHA256

      d63fbd5d295808c22813cb17b72371e3f292addde9da2bdff2ca0bc225f17b1f

    • SHA512

      57431cd3513662d718de4fa85336676c53d726e0e167066963fd421e89fb73271dc537df37a4dfd731ad1f93db513be208470679ede515cf11800a622d3863e5

    • SSDEEP

      24576:2TbBv5rUyXVP9R4x0iGsLP+m2/4lydP1ziQ3pmTQMX3pzJJ9P:IBJPAcWGoQ35kDJ9P

    Score
    3/10
    discovery
    behavioral6

    • Target

      dc/19.exe

    • Size

      2.1MB

    • MD5

      3e2a24aaa5d0f9bb10bfad986ce31279

    • SHA1

      23aa6c2a838eb744f2cee356835eb1f04879e97c

    • SHA256

      dcef31131a10eb3765f1da688fb233fe5fd82aecada26a5a4c003ed848f4ef5e

    • SHA512

      bec737c6d27c77755ec962b46c69832bd25856e1029a54c3f79f4620e6123d9b63277b5c470bc921edfbe1503532f26c882b84315dc701874dc62c04bae4ac26

    • SSDEEP

      49152:IBJ5BGELU3i6oUt8vLD51ncebaIFZRDiXP:ybFgS7U+lZPGIhD2

    Score
    10/10
    credential_accessdiscoverypersistencespywarestealer

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral7

    • Target

      dc/22.exe

    • Size

      1.1MB

    • MD5

      45b712ae3e7e9e4653d55416e6b5ad8d

    • SHA1

      7eea645c4218b62a6388b9a7f0a5f7cc261f79cd

    • SHA256

      ed3c0b86e4e7859a1df63fc525dda383c45b6d186ca683522a21156c92dbd82a

    • SHA512

      15cd21fda86f445afd23b968053e83de299f9ed94813abf0b8bfab5d16c67c20b96219b377aa469ae9c5297d202e6bcef9f057836d268d0ab9bb23a6d6f0d12a

    • SSDEEP

      24576:u2G/nvxW3WieCKXgRAr+qxVFsoLO6Q+XfJhSRL:ubA3jK4qxVXrPa5

    Score
    10/10
    dcratdiscoveryinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral8

    • Target

      dc/23.exe

    • Size

      1.1MB

    • MD5

      a6f747d35d90c66344698cc5ad1ba21f

    • SHA1

      84961f2e854ce6f65413b194ab77264e006c534e

    • SHA256

      f1a2d62c34c17c712655ee85dbd0012c02d03b4923ad082ee0841fd6d111164a

    • SHA512

      ccadbb90aa4c24af7f2b1915e336adab13052012bc00f9ff773e5012cfea338615ffd7017545444513f39fdf88570c43274f12a57fbb281eec25eb9ba11d276f

    • SSDEEP

      24576:u2G/nvxW3WieCP4wzK8OWUwmGybMwW5TUzcOLpNk:ubA3jP4SOZxk+Dp2

    Score
    10/10
    dcratdiscoveryinfostealerpersistencerat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral9

    • Target

      dc/3.exe

    • Size

      2.1MB

    • MD5

      a0dad08f164eaa10775ee446d7609671

    • SHA1

      3fddaf10e5776433aedceefbcfa422e2967d37e2

    • SHA256

      6321ebebea1d093460221986382502f6c5bb0a26937d4587f7476993a087db81

    • SHA512

      d404bddb06c9f38b8f9088cef8d63be392d928756a403e8f666ee1ce93fc7d6396e42fbc75db9a7f9f2aee39ccd5cc42a919baf594a873bef068c3146824fbc6

    • SSDEEP

      49152:IBJ9RJN6XwzevCev8gTi5QIxDdetPmp0ndliBv1j51JqAq:ynwQeZTnewdliBvR3Qv

    Score
    10/10
    discoverypersistence

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral10

    • Target

      dc/4.exe

    • Size

      1.9MB

    • MD5

      8ec6258190b2bde9fa229cc0f2cc847a

    • SHA1

      5a7ae09d4725fcba71a423d877d12a2977798119

    • SHA256

      682f31b0bbe6f30fb67f5e07d6579241307694116a2cce4397e6a995bc5c8529

    • SHA512

      b9c6508bfc82097cbf87d6d829bbe395fd2172d21cd92dae11de7b60b6b0f09c17f307301cf02ccd4240403386899d9ff078b05b6b8cd0ad8a4e7fa927680114

    • SSDEEP

      24576:2TbBv5rUyXVP9R4x0iGsLP+m2/4lydP1ziQ3pmTQMX3pzJJ9djnpbNQDsE2+iIlU:IBJPAcWGoQ35kDJ9ye+iIlYiCn

    Score
    3/10
    discovery
    behavioral11

    • Target

      dc/5.exe

    • Size

      1.5MB

    • MD5

      bd14830a138c0095dca4aa1f0286ab64

    • SHA1

      d2496162caf083f7da2798a87c2b31dee785407b

    • SHA256

      6bbe69a4d43bcdbe194fd79cbc4e02eeac6f23c6eac0b88b7ba4425be891104f

    • SHA512

      0f256578c87b3f6a35d3c7355dc3b60528cc624d091918ca65c73ee71ed8b06ecfcf19789e9ae067338be379b3af3bd41424deb36753e2432622d8b4d4ad3f9c

    • SSDEEP

      24576:U2G/nvxW3Ww0tSQPN1+7zNSQ6lXSvfyV5rUFuS59v2xNXx9qYdzUek:UbA30SQPyGb5rUcU9vOAOUN

    Score
    10/10
    dcratdiscoveryinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral12

    • Target

      dc/6.exe

    • Size

      2.9MB

    • MD5

      901347c38d0559eb5bf5bab62e6d2407

    • SHA1

      34f7c5863b6d38a2c9fafcb0460d75a108b97512

    • SHA256

      71f2a4f7f3abece865c8b648031a3a1cd8cb185b097ff232704307972c0141f1

    • SHA512

      f9440261b64b46070d917d1fb8fbfae6ff4d201887c86a3b5c1d1561b4b5e88dc112b9aabbba234d422b02d76ff035ff95db70fca4acafca97b588eb32604701

    • SSDEEP

      49152:UbA30pNm1SFq104+pXNhYaPr+igbvj+vPiNxU0qb00tfUFIdva:UbVSSF3Nsaj+z8PiuQ

    Score
    10/10
    dcratdiscoveryevasioninfostealerrattrojan

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      evasiontrojan

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

      evasiontrojan
    behavioral13

    • Target

      dc/7.exe

    • Size

      2.9MB

    • MD5

      2d30843580eaf66546af1ad6c04338ed

    • SHA1

      5f6df14f8adc05f4feb3e26c3e851ef68813828b

    • SHA256

      7858ed8f2d48186ed0f85b362af8f76065b88662ad20d7e0b393115898ca9972

    • SHA512

      5928280c4f5bc5b3fab24a971552b1b747cccb6cec2939c6908fd927074e0c93e0ebf2c60918b01b98f78ee750abe2491d34bc3242bf9c9f2a003b8a62fd5af5

    • SSDEEP

      49152:IBJW0o4UO9a9j1KgfUh8O/2g5BxxFbUCKyjYmOCXSEUahZn:y40oqURKgfU6O/vV7ZjYmLtUKn

    Score
    9/10
    credential_accessdiscoveryspywarestealer

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral14

    • Target

      dc/9.exe

    • Size

      20.9MB

    • MD5

      5cf2ca02e67df1b3a6884553d35f108b

    • SHA1

      13925e005d5dc99a732cad3165f914c6e2bc08e9

    • SHA256

      9c6d3f6efff6277f74bba5a127c9216dfa5195eab86cd9f8544d6da9d6a33cf5

    • SHA512

      ca9ddc92b44e57de5e9c65566b0afda80cdbc5c06d35fac5767425b8793157a35d767f87bfa4b58be01e3d1124f6018f8ddb0fd1292e9086e49608fd2cd4bb6d

    • SSDEEP

      393216:zoNLbkNj0yKtpbRS0Y4d090xF6PvNhPErelRtD5CM908wYnAT98yTETNYU2HJwvr:zohNyKtS063JXD5C9lqyTEBYU2pwD

    Score
    10/10
    gurcumilleniumratcollectioncredential_accessdefense_evasiondiscoveryevasionexecutionpersistencepyinstallerratspywarestealerupx

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

      stealergurcu

    • MilleniumRat

      MilleniumRat is a remote access trojan written in C#.

      ratstealermilleniumrat

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Stops running service(s)

      evasionexecution

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Executes dropped EXE

    • Indicator Removal: Clear Windows Event Logs

      Clear Windows Event Logs to hide the activity of an intrusion.

      defense_evasion

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Enumerates processes with tasklist

      discovery

    • Suspicious use of SetThreadContext

    behavioral15

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Indicator Removal

1
T1070

Clear Windows Event Logs

1
T1070.001

Modify Registry

5
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Query Registry

6
T1012

Remote System Discovery

1
T1018

System Information Discovery

9
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Clipboard Data

1
T1115

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Service Stop

1
T1489

Tasks

static1

ratdcrat
Score
10/10

behavioral1

dcratdiscoveryexecutioninfostealerpersistencerat
Score
10/10

behavioral2

discovery
Score
7/10

behavioral3

dcratcredential_accessdiscoveryexecutioninfostealerratspywarestealer
Score
10/10

behavioral4

discoveryexecution
Score
8/10

behavioral5

discoverypersistence
Score
10/10

behavioral6

discovery
Score
3/10

behavioral7

credential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral8

dcratdiscoveryinfostealerrat
Score
10/10

behavioral9

dcratdiscoveryinfostealerpersistencerat
Score
10/10

behavioral10

discoverypersistence
Score
10/10

behavioral11

discovery
Score
3/10

behavioral12

dcratdiscoveryinfostealerrat
Score
10/10

behavioral13

dcratdiscoveryevasioninfostealerrattrojan
Score
10/10

behavioral14

credential_accessdiscoveryspywarestealer
Score
9/10

behavioral15

gurcumilleniumratcollectioncredential_accessdefense_evasiondiscoveryevasionexecutionpersistencepyinstallerratspywarestealerupx
Score
10/10