General

  • Target

    b384bae14152546bfe204f60a9d267da.exe

  • Size

    2.3MB

  • Sample

    230127-at2tmshd2t

  • MD5

    b384bae14152546bfe204f60a9d267da

  • SHA1

    74dc84cddd03de2f50b0a3db6416eb05927bcad6

  • SHA256

    ee798fd5e8c53a233321ef63056274f6ec8ef735c194a19950948eb2d8d41ede

  • SHA512

    1d3d43f98523f556ec26b1e531248d904f76065112d7954552de767a812a471ef9be37498f5a015c8ef2a52d2e4f375ff5d42f233011a29bd9ae6dea7ca052bd

  • SSDEEP

    49152:4EAW6oV1uWgMzCAKcNqGAonnXvjGt8YxKIh3i2L:bADWgmNqGAKKBli

Malware Config

Targets

    • Target

      b384bae14152546bfe204f60a9d267da.exe

    • Size

      2.3MB

    • MD5

      b384bae14152546bfe204f60a9d267da

    • SHA1

      74dc84cddd03de2f50b0a3db6416eb05927bcad6

    • SHA256

      ee798fd5e8c53a233321ef63056274f6ec8ef735c194a19950948eb2d8d41ede

    • SHA512

      1d3d43f98523f556ec26b1e531248d904f76065112d7954552de767a812a471ef9be37498f5a015c8ef2a52d2e4f375ff5d42f233011a29bd9ae6dea7ca052bd

    • SSDEEP

      49152:4EAW6oV1uWgMzCAKcNqGAonnXvjGt8YxKIh3i2L:bADWgmNqGAKKBli

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Tasks