General
-
Target
da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
-
Size
3.0MB
-
Sample
250327-ny8pmstkz7
-
MD5
4bc701fc5e13c1287646e5d1f79760d4
-
SHA1
6bc6e4c44012084ec5af5ebdfd09314e598464e1
-
SHA256
da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb
-
SHA512
fd3bf97de8840b16ae72295082e6aff5f0833de8791d39dc6a347cab771af1b88cfcc56c307c663112d2207cf2a0059a0882b053aa8fa0b67a1f3a3a183ee503
-
SSDEEP
49152:S/3iuoi0xrLIy5sx+3K0n+B87/2bHJC3H0oJK7rohky64a65KKRD:ASuMxAxKp+SDqHJq+zy86A
Malware Config
Targets
-
-
Target
da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
-
Size
3.0MB
-
MD5
4bc701fc5e13c1287646e5d1f79760d4
-
SHA1
6bc6e4c44012084ec5af5ebdfd09314e598464e1
-
SHA256
da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb
-
SHA512
fd3bf97de8840b16ae72295082e6aff5f0833de8791d39dc6a347cab771af1b88cfcc56c307c663112d2207cf2a0059a0882b053aa8fa0b67a1f3a3a183ee503
-
SSDEEP
49152:S/3iuoi0xrLIy5sx+3K0n+B87/2bHJC3H0oJK7rohky64a65KKRD:ASuMxAxKp+SDqHJq+zy86A
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
5Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2