Overview

overview

10

Static

static

3

FATALITY CRACK.rar

windows10-ltsc 2021-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    FATALITY CRACK.rar

  • Size

    2.7MB

  • Sample

    241127-xd1b7s1qdn

  • MD5

    eb91852ed7ae328ed294a75c56582481

  • SHA1

    7d980b6789e74998fd1b906dfb7eda7e3495a127

  • SHA256

    30e973ae2b2420c2506000813d5fc3fb12c4bedc3595b00b097840b597018df9

  • SHA512

    245d39ff89011ea50f42f1098c459349add3a21f8db7d55ddacfe4c812e68920b2a879144ed1845fc6623609cc5a4be7fb8537b0d007607fde289e0eedd89c78

  • SSDEEP

    49152:INSopUBKz7NJ3s9WUt/py3y1VNJNwDn7Fex0P1EDsix6Uqaj:gSopzzZPG/py3ybNgDnBex01RiA2j

Score
10/10
dcratdiscoveryinfostealerpersistenceratspywarestealer

Malware Config

Targets

    • Target

      FATALITY CRACK.rar

    • Size

      2.7MB

    • MD5

      eb91852ed7ae328ed294a75c56582481

    • SHA1

      7d980b6789e74998fd1b906dfb7eda7e3495a127

    • SHA256

      30e973ae2b2420c2506000813d5fc3fb12c4bedc3595b00b097840b597018df9

    • SHA512

      245d39ff89011ea50f42f1098c459349add3a21f8db7d55ddacfe4c812e68920b2a879144ed1845fc6623609cc5a4be7fb8537b0d007607fde289e0eedd89c78

    • SSDEEP

      49152:INSopUBKz7NJ3s9WUt/py3y1VNJNwDn7Fex0P1EDsix6Uqaj:gSopzzZPG/py3ybNgDnBex01RiA2j

    Score
    10/10
    dcratdiscoveryinfostealerpersistenceratspywarestealer

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

3
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks