Overview

overview

10

Static

static

10

MsSavesSes...YY.bat

windows7-x64

8

MsSavesSes...YY.bat

windows10-2004-x64

8

MsSavesSes...O1.vbe

windows7-x64

3

MsSavesSes...O1.vbe

windows10-2004-x64

3

MsSavesSes...rf.exe

windows7-x64

10

MsSavesSes...rf.exe

windows10-2004-x64

10

MsSavesSes...le.vbs

windows7-x64

1

MsSavesSes...le.vbs

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a2f2e7faee09ff22d394d74ca44ec2a153199d3af3936d1841f3d57c8eae721c.zip

  • Size

    1.9MB

  • Sample

    241202-db6xes1lbq

  • MD5

    ca992f98e8cf0653e5ac5b39d7b5be38

  • SHA1

    99b01d44d0528f61bd20b4a419aece6fa03cbb53

  • SHA256

    a2f2e7faee09ff22d394d74ca44ec2a153199d3af3936d1841f3d57c8eae721c

  • SHA512

    aa083ced01c13a76b54dc9b45e1e91056dbb3dc6ac7f1764f0cddca3fb6e60465f8999daae8d7e219d5313c5c2a01dfe1f3579a8c4e63a8cf8b56446e4e6a835

  • SSDEEP

    49152:agcpU2Cn4cFusy9lh5v0IcmB7pX+n2PCgPi0TzuQHqgxFJKRKHKpU4:wU2Cfuj3v0sBuQRjJKRKHKU4

Score
10/10
dcratevasioninfostealerpersistencerat

Malware Config

Targets

    • Target

      MsSavesSessionDll/9KjI6fqbs0yhjc5d8qYY.bat

    • Size

      154B

    • MD5

      24c4210b146054c31eb1f4e01f0f4005

    • SHA1

      340eb576f0bc822344328fa3edf6638a60124381

    • SHA256

      bf807e7bc8dbbebecd7a334f77b9a0b0eec352846fd673bdeab482642002ae2f

    • SHA512

      46554f3f2441374a05ceee70c477aed58717f4e7e05ab57daa494f38a8f2b67b2f462a4a170bf4d3c54340d689934ca38462ee77299bca84cfdd0a7fe07dfa92

    Score
    8/10
    evasion

    • Disables Task Manager via registry modification

      evasion
    behavioral1behavioral2

    • Target

      MsSavesSessionDll/KGvUTlEKtYKB1JaFEhyBUO1.vbe

    • Size

      214B

    • MD5

      70a585216ae3ecc7d0bb56903c227315

    • SHA1

      6b661f901134aec8eba29d6b45cff5f8d9d56a58

    • SHA256

      79fb626b5bf797bc6e1c72af3be07bbb1a606587890f1806b20ac984d57201c0

    • SHA512

      02296eaa4d02a535b98961c1aeb410ff505b0e56e23eb7459f945707b94132cadaf12260e97cabff4e3981bc04bfd0318c4a1701eff92446edd5889609c806d9

    Score
    3/10
    behavioral3behavioral4

    • Target

      MsSavesSessionDll/agentreviewPerf.exe

    • Size

      2.3MB

    • MD5

      4e69fcf73418a08fcb8b3e7e2ecb43c4

    • SHA1

      a3ecd09f65ca4e7821a0b7f8596edcd679573f5b

    • SHA256

      fa78ac8f4c94923c7e53a3bf6936b46aff02f7746ee9518460c2d529ea2982d4

    • SHA512

      a6d1a2b6363ad8a560567e6c11a48f8d1bc4cdfc36474902edf39f676440be82619aae52279121a776486d0edfe7a448f0fe9707b27ae760c1d6dd0201f6adc3

    • SSDEEP

      49152:BwpUwcTZ0rUinysyVZl5LCCcG3RTXM34FIIPWYJxuQfUgtFneJ8BG5U:Bw1ctUyjTLC8puaX/neJ8BgU

    Score
    10/10
    dcratinfostealerpersistencerat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral5behavioral6

    • Target

      MsSavesSessionDll/file.vbs

    • Size

      34B

    • MD5

      677cc4360477c72cb0ce00406a949c61

    • SHA1

      b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

    • SHA256

      f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

    • SHA512

      7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

    Score
    1/10
    behavioral7behavioral8

MITRE ATT&CK Enterprise v15

Tasks