General

  • Target

    f9a6ea9fb97c1dd78c6671432ab1bc38d1da662d616b39fa6ce77ac2f50b6d01

  • Size

    1.3MB

  • Sample

    221101-n1frmscegk

  • MD5

    621a3d05f61ec50f9588da0458bf9208

  • SHA1

    7ba723cd0fb59444d51e7586f34058600292fab3

  • SHA256

    f9a6ea9fb97c1dd78c6671432ab1bc38d1da662d616b39fa6ce77ac2f50b6d01

  • SHA512

    d3afd153c382fc0b71907b1bf5ca7b297d02abe6bf89d7a9f479a1ff36bdcfe7c0fa60babc8cc1ea5c6d05b801b03cf5b1c47545384e74274409c6a93e74813a

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score
10/10

Malware Config

Targets

    • Target

      f9a6ea9fb97c1dd78c6671432ab1bc38d1da662d616b39fa6ce77ac2f50b6d01

    • Size

      1.3MB

    • MD5

      621a3d05f61ec50f9588da0458bf9208

    • SHA1

      7ba723cd0fb59444d51e7586f34058600292fab3

    • SHA256

      f9a6ea9fb97c1dd78c6671432ab1bc38d1da662d616b39fa6ce77ac2f50b6d01

    • SHA512

      d3afd153c382fc0b71907b1bf5ca7b297d02abe6bf89d7a9f479a1ff36bdcfe7c0fa60babc8cc1ea5c6d05b801b03cf5b1c47545384e74274409c6a93e74813a

    • SSDEEP

      24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

    Score
    10/10
    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v6

Tasks