Overview

overview

10

Static

static

3

3d79293d37...14.exe

windows7-x64

10

3d79293d37...14.exe

windows10-2004-x64

10

3d79293d37...14.exe

android-9-x86

3d79293d37...14.exe

android-10-x64

3d79293d37...14.exe

android-11-x64

3d79293d37...14.exe

macos-10.15-amd64

3d79293d37...14.exe

ubuntu-18.04-amd64

3d79293d37...14.exe

debian-9-armhf

3d79293d37...14.exe

debian-9-mips

3d79293d37...14.exe

debian-9-mipsel

Resubmissions

14-01-2025 04:24

250114-e1k7payngl 10

14-01-2025 03:04

250114-dkkesaxmar 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe

  • Size

    16.0MB

  • Sample

    250114-e1k7payngl

  • MD5

    5aa236eabe65a1e444f1eb31fb330eba

  • SHA1

    b6a8d5362991511526ea5a2b86ad70f05e70652c

  • SHA256

    3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714

  • SHA512

    0ab8e56f1f8a09491d96416bdc2798874ff153ef56c6476cd9eda9fe0744e77f56132073524f1a2719a75d5dea8dcd5706ee1497867f8b3e62c9a52641afc0be

  • SSDEEP

    98304:mjHzjFPB6n2gC9U851tTRIXDNgn+ojsSw9y4Q1vL3NPt:yHHFPgns9BvpyNgnNW4

Score
10/10
dcratandroiddiscoveryevasionexecutioninfostealerlinuxmacospersistencerat

Malware Config

Targets

    • Target

      3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe

    • Size

      16.0MB

    • MD5

      5aa236eabe65a1e444f1eb31fb330eba

    • SHA1

      b6a8d5362991511526ea5a2b86ad70f05e70652c

    • SHA256

      3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714

    • SHA512

      0ab8e56f1f8a09491d96416bdc2798874ff153ef56c6476cd9eda9fe0744e77f56132073524f1a2719a75d5dea8dcd5706ee1497867f8b3e62c9a52641afc0be

    • SSDEEP

      98304:mjHzjFPB6n2gC9U851tTRIXDNgn+ojsSw9y4Q1vL3NPt:yHHFPgns9BvpyNgnNW4

    Score
    10/10
    dcratdiscoveryevasionexecutioninfostealerpersistencerat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Disables Task Manager via registry modification

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral1behavioral10behavioral2behavioral3behavioral4behavioral5behavioral6behavioral7behavioral8behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks