General
-
Target
DeltaCrack.exe
-
Size
12KB
-
Sample
250202-pzvd3ssjhx
-
MD5
b6f8ce701bcbc0dea1ce3932bad8bd59
-
SHA1
5b0117f1ac2649173034784574426d3875c1c2a9
-
SHA256
2637fba7a82cf6b7b65ecea2e83da886d4252db8bf64e8dc4de29768c828745c
-
SHA512
a83d4555adfa3b9bf664b774fd60d70286e2cb3dcef36688b056d643b3b6e919485bfc55146fc24447e5367531c22ef58894d0fe20836316596ea34b95d7a2b3
-
SSDEEP
192:6JcV4aQPPUEdt5ymbzRH+GxfekEcDZbU865/WH1yaME+zrq9:6JcV49PM+tYmbNj9emy865Iyw+zrq
Malware Config
Targets
-
-
Target
DeltaCrack.exe
-
Size
12KB
-
MD5
b6f8ce701bcbc0dea1ce3932bad8bd59
-
SHA1
5b0117f1ac2649173034784574426d3875c1c2a9
-
SHA256
2637fba7a82cf6b7b65ecea2e83da886d4252db8bf64e8dc4de29768c828745c
-
SHA512
a83d4555adfa3b9bf664b774fd60d70286e2cb3dcef36688b056d643b3b6e919485bfc55146fc24447e5367531c22ef58894d0fe20836316596ea34b95d7a2b3
-
SSDEEP
192:6JcV4aQPPUEdt5ymbzRH+GxfekEcDZbU865/WH1yaME+zrq9:6JcV49PM+tYmbNj9emy865Iyw+zrq
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Event Triggered Execution: AppInit DLLs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1AppInit DLLs
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1AppInit DLLs
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1