General

  • Target

    6bc0f24aa721a73e5964fafaeae8dd272fa320a5f2cad7a0ade54dcd1c189bf3

  • Size

    1.3MB

  • Sample

    221101-mlwc4sbhar

  • MD5

    b48aa0712ad3d824893fe3110d4cfec5

  • SHA1

    29a08ccd632bb1155b66d604b612d7c8967c6817

  • SHA256

    6bc0f24aa721a73e5964fafaeae8dd272fa320a5f2cad7a0ade54dcd1c189bf3

  • SHA512

    f9f0a10a69f0824d5815cb835af4b3caf174fd9b11e3606f1ee76c3bc56156922a98a2c00f8e4cf339d3236a18e4bbe0285641319f77b22b65f5e653b9e395a2

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score
10/10

Malware Config

Targets

    • Target

      6bc0f24aa721a73e5964fafaeae8dd272fa320a5f2cad7a0ade54dcd1c189bf3

    • Size

      1.3MB

    • MD5

      b48aa0712ad3d824893fe3110d4cfec5

    • SHA1

      29a08ccd632bb1155b66d604b612d7c8967c6817

    • SHA256

      6bc0f24aa721a73e5964fafaeae8dd272fa320a5f2cad7a0ade54dcd1c189bf3

    • SHA512

      f9f0a10a69f0824d5815cb835af4b3caf174fd9b11e3606f1ee76c3bc56156922a98a2c00f8e4cf339d3236a18e4bbe0285641319f77b22b65f5e653b9e395a2

    • SSDEEP

      24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

    Score
    10/10
    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v6

Tasks