General

  • Target

    7b0HMZi.exe

  • Size

    1.4MB

  • Sample

    230130-cl9wdsde88

  • MD5

    171c377e62a138ad8c7bce6c9ff051d3

  • SHA1

    26252b5009f133925ca08f22adf7084c729e53ce

  • SHA256

    f2584e87fac1d7e4b0a8e15f9227626ab95c14dfc7bfd2f6d0abfa4fd6113d63

  • SHA512

    bd5d49d6b6133066a164226c66f1369bb898245ff540a7772fb5e09675c5a736c29f915cae695d6e30a15ab8532bdce98242ba2944d072f6442db0a85a892d31

  • SSDEEP

    24576:jnTvNh6VDOAxsd05hhdshr0SafxxyiDSvGzNlZhlUmbhL:jLNh6ViAxsqr6r0hfqY/lb2

Score
10/10

Malware Config

Targets

    • Target

      7b0HMZi.exe

    • Size

      1.4MB

    • MD5

      171c377e62a138ad8c7bce6c9ff051d3

    • SHA1

      26252b5009f133925ca08f22adf7084c729e53ce

    • SHA256

      f2584e87fac1d7e4b0a8e15f9227626ab95c14dfc7bfd2f6d0abfa4fd6113d63

    • SHA512

      bd5d49d6b6133066a164226c66f1369bb898245ff540a7772fb5e09675c5a736c29f915cae695d6e30a15ab8532bdce98242ba2944d072f6442db0a85a892d31

    • SSDEEP

      24576:jnTvNh6VDOAxsd05hhdshr0SafxxyiDSvGzNlZhlUmbhL:jLNh6ViAxsqr6r0hfqY/lb2

    Score
    10/10
    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks