General

  • Target

    солярка (воркает).rar

  • Size

    2.6MB

  • Sample

    241004-wvj6washqa

  • MD5

    45fd7de7a40563e71d6f2e8ab3accc10

  • SHA1

    b3f77f34507850c890789cacb0ccd0bba87d6a3c

  • SHA256

    3c74eb0e0e744bed1deab78229f53f571be042fe0bfbdb31df99dabbe1ec33a1

  • SHA512

    4276a959de82f67309a0624401fa315c605af6f8be40b393473fda6fefb5b3cd5444c2f5bc16f1743685595cecb8bcdcaddaa5e1ad6385ef76f5034e735dc62a

  • SSDEEP

    49152:NSIWLZd0Gb+987RBstRIwekxcbTB2BuVuyZi6YX2nLots1u3VonghLyQ:NfWLZd0Gai7RERIwPxC22j64LoRVYOr

Malware Config

Targets

    • Target

      солярка (воркает)/BootstrapperV1.21.exe

    • Size

      3.8MB

    • MD5

      d83d803d2aa210c2ea165a6ba41d755a

    • SHA1

      5e9f047412addd3a3a36dfd2890c3709a6b6840d

    • SHA256

      c7becefe6c1a08698fe22edd47646657e9312acf4824c7435dd4b2af46e10072

    • SHA512

      d510c369c589d39114556b46f0d333165a2d22e163776cd4eb5c13d993745279c3110815013fb4fe62c5015fc94b6527ebf029ac465d2b691a74a91cbf6e75d4

    • SSDEEP

      49152:wbA3jjuzRg+fejWikp35V5nqe3jCtJaOEXt/kdK9decwoGH/jHc4U:wbGqyLpQz5qeTCtwOEkw9decKU

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Blocklisted process makes network request

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks