General
-
Target
3473e4f724dbe6f719b6e02945fd8e92.exe
-
Size
22.3MB
-
Sample
250207-p8nmwssqcj
-
MD5
3473e4f724dbe6f719b6e02945fd8e92
-
SHA1
260a8c3c4a9759e21173ba58353203120418ac18
-
SHA256
85fffd5634882bd2eb4f667d225cba962ef6e49d1a497ec7139df3ff41c38fe3
-
SHA512
10f6802d6d8c54dfdf3e534b7b693c11597ff919e6f32777fc37715a0fbf68e13a37774c6981b8e2bda726f58e4042cc82c0b48744b495d49e2675eeb088f439
-
SSDEEP
393216:UDtdcuudxlyNom7rqzvP11bfVuJVy+GDBFlc64sb6BcYCJ3lBVi6rkA+LbFIDVwq:src7lyNosOj+I+GaxQ6B9CJ3nY6rkA+G
Malware Config
Targets
-
-
Target
3473e4f724dbe6f719b6e02945fd8e92.exe
-
Size
22.3MB
-
MD5
3473e4f724dbe6f719b6e02945fd8e92
-
SHA1
260a8c3c4a9759e21173ba58353203120418ac18
-
SHA256
85fffd5634882bd2eb4f667d225cba962ef6e49d1a497ec7139df3ff41c38fe3
-
SHA512
10f6802d6d8c54dfdf3e534b7b693c11597ff919e6f32777fc37715a0fbf68e13a37774c6981b8e2bda726f58e4042cc82c0b48744b495d49e2675eeb088f439
-
SSDEEP
393216:UDtdcuudxlyNom7rqzvP11bfVuJVy+GDBFlc64sb6BcYCJ3lBVi6rkA+LbFIDVwq:src7lyNosOj+I+GaxQ6B9CJ3nY6rkA+G
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
UAC bypass
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Disables Task Manager via registry modification
-
Stops running service(s)
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates processes with tasklist
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
1Modify Registry
5Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3