General
-
Target
EAE6D4D5EAE0CF85FF69EB89946E4185.exe
-
Size
885KB
-
Sample
241107-yx89wsxmds
-
MD5
eae6d4d5eae0cf85ff69eb89946e4185
-
SHA1
9107578b01297b583bf797575bea0d745d024260
-
SHA256
ea10faa651fc412d0ec1b6417d4ab1949f5ace92373d87dd789d8b0556ffb810
-
SHA512
14fbb35dc316eef0d11204280b8e152d54905f72e43f2f98d92cfca559f3d09dd7d849ea01ce1c57ab94d356b26d6146e6714a51d1f72af9d4d94fc0adba533f
-
SSDEEP
24576:9WUovLOqIJk8IjNJ/+z4F3osuiKoqsyol54bWYUK:9LoDP8IxF3osxKoqUK
Malware Config
Targets
-
-
Target
EAE6D4D5EAE0CF85FF69EB89946E4185.exe
-
Size
885KB
-
MD5
eae6d4d5eae0cf85ff69eb89946e4185
-
SHA1
9107578b01297b583bf797575bea0d745d024260
-
SHA256
ea10faa651fc412d0ec1b6417d4ab1949f5ace92373d87dd789d8b0556ffb810
-
SHA512
14fbb35dc316eef0d11204280b8e152d54905f72e43f2f98d92cfca559f3d09dd7d849ea01ce1c57ab94d356b26d6146e6714a51d1f72af9d4d94fc0adba533f
-
SSDEEP
24576:9WUovLOqIJk8IjNJ/+z4F3osuiKoqsyol54bWYUK:9LoDP8IxF3osxKoqUK
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Drops file in Drivers directory
-
Manipulates Digital Signatures
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
-
Boot or Logon Autostart Execution: Print Processors
Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Deletes itself
-
Executes dropped EXE
-
Indicator Removal: Clear Windows Event Logs
Clear Windows Event Logs to hide the activity of an intrusion.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Blocklisted process makes network request
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
Modifies termsrv.dll
Commonly used to allow simultaneous RDP sessions.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Print Processors
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Print Processors
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Peripheral Device Discovery
1Query Registry
3System Information Discovery
4System Location Discovery
1System Language Discovery
1