General

  • Target

    5d05c7d74af3f812e23c91cb9cf1e346af9e8e074515862c7449cd8ff2dd8b18

  • Size

    1.3MB

  • Sample

    230122-1769dshh84

  • MD5

    b9a0002e9a104374dea2f4ba571f1764

  • SHA1

    627488abb7aeeb5f8f411a9694cebd6b4748a86f

  • SHA256

    5d05c7d74af3f812e23c91cb9cf1e346af9e8e074515862c7449cd8ff2dd8b18

  • SHA512

    439d0ad76753bf88adc6d92e80fda5bbc64c5724180d8689f79fbf48a80754eb5f127284f123a71129a110ccfeeccb1c3c4cb0879f7859a0648aa0e09ba805b5

  • SSDEEP

    24576:U2G/nvxW3Ww0t4952ytIS/Zgi5N5vC8bg7Mj9W4eHdELPh:UbA30QAytISht5q8bQMB4o

Malware Config

Targets

    • Target

      5d05c7d74af3f812e23c91cb9cf1e346af9e8e074515862c7449cd8ff2dd8b18

    • Size

      1.3MB

    • MD5

      b9a0002e9a104374dea2f4ba571f1764

    • SHA1

      627488abb7aeeb5f8f411a9694cebd6b4748a86f

    • SHA256

      5d05c7d74af3f812e23c91cb9cf1e346af9e8e074515862c7449cd8ff2dd8b18

    • SHA512

      439d0ad76753bf88adc6d92e80fda5bbc64c5724180d8689f79fbf48a80754eb5f127284f123a71129a110ccfeeccb1c3c4cb0879f7859a0648aa0e09ba805b5

    • SSDEEP

      24576:U2G/nvxW3Ww0t4952ytIS/Zgi5N5vC8bg7Mj9W4eHdELPh:UbA30QAytISht5q8bQMB4o

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Disables Task Manager via registry modification

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks