General
-
Target
123.rar
-
Size
627KB
-
Sample
250123-s6ya4awkgr
-
MD5
92ec0c734bf81f19627f068b8b1ec529
-
SHA1
8cb79b342760c841addc21e5bdaa4beba4148942
-
SHA256
dfe9f39426e9f5c49dfd52ec6dcf91a679af24d2e5a6119a139b9bdf1525655d
-
SHA512
754f39ae79ef974fe55c6b1768ec322c8a898f9b8993281952d82bbd3dff85ebb60d8d8a9b64163ca5d9f4177c5fd54f9e42b9bb889b73d6b118b44913c6a619
-
SSDEEP
12288:DfMyzcrZC15Hn80554N7/ALQAp0fDAUOC/WBi9lsGm15d73dXlhw:DfHzIW53gTAMDAUdf96GA5dDd1m
Malware Config
Targets
-
-
Target
taskhostw.exe
-
Size
1.2MB
-
MD5
ac904ffc13b5f221270f475065687b59
-
SHA1
ed6b4383582eae7b72064a10e33cebc6fd3690e5
-
SHA256
963a316c03e4f88df946a43d537f6ed2d2001eaafcde40bdb52cd15104112606
-
SHA512
9626483209d8546c835c94cfffd89e1cf6ae813730d04dfdb9b4b4019e12ee0c9166fa76fb47426251f6e669d6c63037718ffb8c8366766cadca1a9f78c91559
-
SSDEEP
12288:URZ+IoG/n9IQxW3OBseUUT+tcYbqTHSOOJVu1SNEC8m+P1BAyrQ/ta3iruJtDwbD:u2G/nvxW3WieC2nOJVrj8m+aSDwbA9Nq
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks whether UAC is enabled
-
Drops desktop.ini file(s)
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1