Overview

overview

10

Static

static

10

{VKK+KODS}/Vkk.exe

windows7-x64

10

{VKK+KODS}/Vkk.exe

windows10-2004-x64

10

{VKK+KODS}/vkk.exe

windows7-x64

10

{VKK+KODS}/vkk.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    61cbb21bcc559a88d2e8365d6a2abb738faf56acd0e0b2f259235621d14fd71b

  • Size

    432KB

  • Sample

    241031-y54dlstcqm

  • MD5

    acb27404509c805c987907344c13bee4

  • SHA1

    a99585d4376067700047258c0294f3ea890358d8

  • SHA256

    61cbb21bcc559a88d2e8365d6a2abb738faf56acd0e0b2f259235621d14fd71b

  • SHA512

    bcf7d26aac2f4048c710d9100ef0538d20bf6f1c4925eb9060808d5b25c08fa0ef35e46e6226de745d06c6120ceff06f1b5acfb53c2161bde40570f3c42dddfc

  • SSDEEP

    6144:nDcd3kwnU2IGXgyimt41oxHPzfW9k+T97ztuyWYZ8Ta:nDcd3kN2xgstcoNbik+T97z0Fa82

Score
10/10
dcratdiscoveryinfostealerrat

Malware Config

Targets

    • Target

      {VKK+KODS}/Vkk.exe

    • Size

      164KB

    • MD5

      c417467a71603bf9373d85720947aa53

    • SHA1

      14d819592c4c5a287f8237fbae8afb136a58404d

    • SHA256

      99e670906e0585ff8b380ed79e5c4a299ca46dc7d121f79513c9710c89925a64

    • SHA512

      ae768d8473121ca4ecaa2593dc4425b3ddf7ff712f34749c69dbd3fef1e8dc74207df2e0647a8e430dc7662e8c7a96f4e39abcf88de83d9fb4c402734c47e1e1

    • SSDEEP

      3072:yT62kltl7utrZ8KIw4T3k69nhTaRGAQyeFo:yTwzlP3kwnBAfQVF

    Score
    10/10
    dcratdiscoveryinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral1behavioral2

    • Target

      {VKK+KODS}/vkk.exe

    • Size

      653KB

    • MD5

      91bd6c254ee87e5c67ec306277cd4aaa

    • SHA1

      a7c343316582f0bbd25f23c6a082d0061f0e560b

    • SHA256

      878683a67bb95a2a2917b57b9a737ae1f085fcb8950b212c3a28884abf9c1a34

    • SHA512

      1159b53efc6bc16376504f87e4717ad630b094b3f33ae135409f27296ff2e2fc2e9f9aa21908c2789b7b094deafdbb247925a3691cb1a5bd1fc3a87fda9a7824

    • SSDEEP

      12288:nRZ+IoG/n9IQxW3OBsegHibt32N7oqcLCf8VI3WYwSTdxjZQ:P2G/nvxW3Wu0t32VCk3WY1xju

    Score
    10/10
    dcratdiscoveryinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks