General
-
Target
starter.exe
-
Size
2.7MB
-
Sample
250123-jmnswaznbw
-
MD5
a2c7f33b3aaf2b9c8c83a6fc8f3557d3
-
SHA1
2e221f4302dab0406047730b6a00f41ba50026f1
-
SHA256
dac550df5cc55821ef50537529790217fce473b75d590c5574e4f591faf58e4d
-
SHA512
0b87aaac5ce731af9626cbc1cb6b57c6c88639c369e6a1b1fbe837cb39492e0d8c62c0413089b505cbbf7682e70291424b845965dbe7152d718f096bb784445c
-
SSDEEP
49152:BaxMakFibE1xjiFzt/BcB91FpttORQCs1tMfxkmXVamXT:oMiI1tYztSBH/Na5kmXVhT
Malware Config
Targets
-
-
Target
starter.exe
-
Size
2.7MB
-
MD5
a2c7f33b3aaf2b9c8c83a6fc8f3557d3
-
SHA1
2e221f4302dab0406047730b6a00f41ba50026f1
-
SHA256
dac550df5cc55821ef50537529790217fce473b75d590c5574e4f591faf58e4d
-
SHA512
0b87aaac5ce731af9626cbc1cb6b57c6c88639c369e6a1b1fbe837cb39492e0d8c62c0413089b505cbbf7682e70291424b845965dbe7152d718f096bb784445c
-
SSDEEP
49152:BaxMakFibE1xjiFzt/BcB91FpttORQCs1tMfxkmXVamXT:oMiI1tYztSBH/Na5kmXVhT
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Detect Umbral payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Umbral family
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1