General

  • Target

    F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe

  • Size

    1.5MB

  • Sample

    220922-ya35csgadm

  • MD5

    152fc3939962d6e1e572f00b33daf7b6

  • SHA1

    25a7bebb0bdce7657fc563949befbf52021b5ea0

  • SHA256

    f1aceefbbb01466f19ac3e421082e81bf0c90e2d758665bb8124b5ebf14b5743

  • SHA512

    ba0700f093f904470b739363f5825b5ff7a0039dd2f70f3d2795496875bccfa5eadcb7794675d48fd437c3ced03fa454bad7e6dad7b5e9be2ef7a469433ee9e2

  • SSDEEP

    24576:0crm83KQ6jF2oZkbkXu8MEG7GuR8jZBipt62ob1BKzickKhnakY:3XaJA86h7GuRIBat0BKvhX

Malware Config

Targets

    • Target

      F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe

    • Size

      1.5MB

    • MD5

      152fc3939962d6e1e572f00b33daf7b6

    • SHA1

      25a7bebb0bdce7657fc563949befbf52021b5ea0

    • SHA256

      f1aceefbbb01466f19ac3e421082e81bf0c90e2d758665bb8124b5ebf14b5743

    • SHA512

      ba0700f093f904470b739363f5825b5ff7a0039dd2f70f3d2795496875bccfa5eadcb7794675d48fd437c3ced03fa454bad7e6dad7b5e9be2ef7a469433ee9e2

    • SSDEEP

      24576:0crm83KQ6jF2oZkbkXu8MEG7GuR8jZBipt62ob1BKzickKhnakY:3XaJA86h7GuRIBat0BKvhX

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks