General

  • Target

    25BC30AFA69D34B938949F1F75A41A142636603A71607.exe

  • Size

    532KB

  • Sample

    230127-vs48ladf9x

  • MD5

    7fbdb2f5c7830894d0436a8291e1231f

  • SHA1

    22a13d9bacb8dcf04eb0260999f75fed68d21d0a

  • SHA256

    25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152

  • SHA512

    186f41e9bf79dd0e3711c95d2a73ac734efe83b2321f4f5cd920bf21e95c4075829780d91adbce471335a76cc786a68d8162447b6032465def9d54e8e6b36c1d

  • SSDEEP

    12288:KqnOG4bunLVYAN2ehGtdd3vzQ2JzgW8Lntk:K+OG4bcYAnhGl3U2Jz

Malware Config

Targets

    • Target

      25BC30AFA69D34B938949F1F75A41A142636603A71607.exe

    • Size

      532KB

    • MD5

      7fbdb2f5c7830894d0436a8291e1231f

    • SHA1

      22a13d9bacb8dcf04eb0260999f75fed68d21d0a

    • SHA256

      25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152

    • SHA512

      186f41e9bf79dd0e3711c95d2a73ac734efe83b2321f4f5cd920bf21e95c4075829780d91adbce471335a76cc786a68d8162447b6032465def9d54e8e6b36c1d

    • SSDEEP

      12288:KqnOG4bunLVYAN2ehGtdd3vzQ2JzgW8Lntk:K+OG4bcYAnhGl3U2Jz

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Tasks