Overview

overview

10

Static

static

3

9e52adafb9...e4.exe

windows7-x64

10

9e52adafb9...e4.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7471eb468a1f0166167f369bec578915.bin

  • Size

    1.6MB

  • Sample

    241029-bthw7szkgk

  • MD5

    6054ee2075458c119d3eb79c47584f68

  • SHA1

    8163d5a6c38ed22496bc989ec403ab0952c3a828

  • SHA256

    a4382bc2e3e389cc63fe4f2ded40191776caa809e84bf99f1afe52b6bdcdf5dd

  • SHA512

    532c19150468ecdc5a1cfaf89a2724712be3ec692c0a29c42f8790177cde9285656b4c4d2ada09fc68b47ed686d310d46488ce434a2af8762040806a5853dc3b

  • SSDEEP

    49152:ghBI5lnyLD5FnxESEbeo/1Cily2y4c85SZ:gEHuVFnxE3bt1CqlDk

Score
10/10
dcratdiscoveryevasionexecutioninfostealerratspywarestealer

Malware Config

Targets

    • Target

      9e52adafb9ddb7668e8c025ebd74a856434b0c4c487a6204fe750e683bc3dbe4.exe

    • Size

      2.2MB

    • MD5

      7471eb468a1f0166167f369bec578915

    • SHA1

      9ded35e930d112a8909dad6aaf1a657f65284588

    • SHA256

      9e52adafb9ddb7668e8c025ebd74a856434b0c4c487a6204fe750e683bc3dbe4

    • SHA512

      3f4abc590644d80a6fdebca9e0d2e1a28bbe220a2f48affa09707d9eaa0ab08077dfec58d6f3b78483459dd143cabd1c38ce3941f5766f06e0f1649b705078f8

    • SSDEEP

      49152:IBTj8WeJJUFAFQGoAgNCw0J1/XfkP/qcdi:yf8W7W8AtX83qcdi

    Score
    10/10
    dcratdiscoveryevasionexecutioninfostealerratspywarestealer

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Disables Task Manager via registry modification

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

Remote System Discovery

1
T1018

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks