General
-
Target
2025-04-04_0914b58ea55656076d880f83aef889d9_black-basta_cova_luca-stealer
-
Size
2.3MB
-
Sample
250404-lqkxhawpt4
-
MD5
0914b58ea55656076d880f83aef889d9
-
SHA1
ae7d191fbe9180399199ccfb7e9693bd01e52f01
-
SHA256
64c9f04c293aa63c78a8c6d37c83871625082c8c765bd41521e98f2a07517f53
-
SHA512
5a9d1fcedcf11bb2bee972bb15d19415e8ef990baac510ba675cb04a979072794adebc1e41f6dfa85762a0eecb3506dfd8606fc94c077b7a8ff098739d574add
-
SSDEEP
49152:IBJZNpZGSlLv9nBOB3ruEjHnZ2NUAMsjT2:ynNpISxwCEjHZUfjC
Malware Config
Targets
-
-
Target
2025-04-04_0914b58ea55656076d880f83aef889d9_black-basta_cova_luca-stealer
-
Size
2.3MB
-
MD5
0914b58ea55656076d880f83aef889d9
-
SHA1
ae7d191fbe9180399199ccfb7e9693bd01e52f01
-
SHA256
64c9f04c293aa63c78a8c6d37c83871625082c8c765bd41521e98f2a07517f53
-
SHA512
5a9d1fcedcf11bb2bee972bb15d19415e8ef990baac510ba675cb04a979072794adebc1e41f6dfa85762a0eecb3506dfd8606fc94c077b7a8ff098739d574add
-
SSDEEP
49152:IBJZNpZGSlLv9nBOB3ruEjHnZ2NUAMsjT2:ynNpISxwCEjHZUfjC
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1