Overview

overview

10

Static

static

10

{VKK+KODS}/Vkk.exe

windows7-x64

10

{VKK+KODS}/Vkk.exe

windows10-2004-x64

10

{VKK+KODS}/vkk.exe

windows7-x64

10

{VKK+KODS}/vkk.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9cf6cd197d923c4806912e9c5ef08e3c2c50fb4b20d4ab8b15590a88b73f296b

  • Size

    432KB

  • Sample

    241205-tjqs6sxqbj

  • MD5

    960be0635fcbe74da71408b7d052e01a

  • SHA1

    be02f439acb5cd41560a75c86a9a54777ee04543

  • SHA256

    9cf6cd197d923c4806912e9c5ef08e3c2c50fb4b20d4ab8b15590a88b73f296b

  • SHA512

    ae900d35fe2cc30299f9b8b5625470504563bd2b4e21df4637266744b24f80ae5ae932573d138e7ef1fa95376533227a853690eb2af37b8f69b21236bf67a28f

  • SSDEEP

    6144:+Dcd3kwnUTIGXgyimt41oxHPzfW9k+T97ztuyWYZ8TS:+Dcd3kNTxgstcoNbik+T97z0Fa8O

Score
10/10
dcratdiscoveryinfostealerrat

Malware Config

Targets

    • Target

      {VKK+KODS}/Vkk.exe

    • Size

      164KB

    • MD5

      c417467a71603bf9373d85720947aa53

    • SHA1

      14d819592c4c5a287f8237fbae8afb136a58404d

    • SHA256

      99e670906e0585ff8b380ed79e5c4a299ca46dc7d121f79513c9710c89925a64

    • SHA512

      ae768d8473121ca4ecaa2593dc4425b3ddf7ff712f34749c69dbd3fef1e8dc74207df2e0647a8e430dc7662e8c7a96f4e39abcf88de83d9fb4c402734c47e1e1

    • SSDEEP

      3072:yT62kltl7utrZ8KIw4T3k69nhTaRGAQyeFo:yTwzlP3kwnBAfQVF

    Score
    10/10
    dcratdiscoveryinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral1behavioral2

    • Target

      {VKK+KODS}/vkk.exe

    • Size

      653KB

    • MD5

      91bd6c254ee87e5c67ec306277cd4aaa

    • SHA1

      a7c343316582f0bbd25f23c6a082d0061f0e560b

    • SHA256

      878683a67bb95a2a2917b57b9a737ae1f085fcb8950b212c3a28884abf9c1a34

    • SHA512

      1159b53efc6bc16376504f87e4717ad630b094b3f33ae135409f27296ff2e2fc2e9f9aa21908c2789b7b094deafdbb247925a3691cb1a5bd1fc3a87fda9a7824

    • SSDEEP

      12288:nRZ+IoG/n9IQxW3OBsegHibt32N7oqcLCf8VI3WYwSTdxjZQ:P2G/nvxW3Wu0t32VCk3WY1xju

    Score
    10/10
    dcratdiscoveryinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks