General
-
Target
jopik.exe
-
Size
3.1MB
-
Sample
250330-nqp8bsxxht
-
MD5
25af61a744bdfb7be6e811a1119d55f6
-
SHA1
c4352f21b66710e390592d50ae5914ce0c33cf56
-
SHA256
babed92f8fa49db0ca046162e82f7e2403f33c4ca9ea5097ba981a5d3d365793
-
SHA512
3b7bc8129c5fec44139d502b2c410680724bac368aa17094f6191d57e4f8fac182f28e86f8db512d0472e088540449171602a4f3b0db96b6811b7fb73f4580dc
-
SSDEEP
98304:jqmG8KBY7G6G6GCKuuhjtdtyDzPcuBol:2mv/G6Yad7a
Malware Config
Targets
-
-
Target
jopik.exe
-
Size
3.1MB
-
MD5
25af61a744bdfb7be6e811a1119d55f6
-
SHA1
c4352f21b66710e390592d50ae5914ce0c33cf56
-
SHA256
babed92f8fa49db0ca046162e82f7e2403f33c4ca9ea5097ba981a5d3d365793
-
SHA512
3b7bc8129c5fec44139d502b2c410680724bac368aa17094f6191d57e4f8fac182f28e86f8db512d0472e088540449171602a4f3b0db96b6811b7fb73f4580dc
-
SSDEEP
98304:jqmG8KBY7G6G6GCKuuhjtdtyDzPcuBol:2mv/G6Yad7a
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Detect SalatStealer payload
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Salatstealer family
-
salatstealer
SalatStealer is a stealer that takes sceenshot written in Golang.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4