General

  • Target

    NEAS.24bf7c47cb5c94e3ef84baf4dacce6f0.exe

  • Size

    1.4MB

  • Sample

    231117-14fl9sga3v

  • MD5

    24bf7c47cb5c94e3ef84baf4dacce6f0

  • SHA1

    ae7892a2ca0fd30f4657a7d4b4f46d2e51069a8c

  • SHA256

    df41429f2b77bca4585a380bcf2bc1c734f8a1312c6311938b03e80376e74803

  • SHA512

    5630529f86dc585b4eaedab7e8eabc7f35b5dc5210488eec9a1fe8a55f1d408043674366df88591e29bc265f3e1afbc2712ad63b4748b09b79456f0ea839cf55

  • SSDEEP

    24576:qBBkOlRe8ZcXPuCyRdaN1yV/vELneAcCg8:uOOy8eEa1Jct8

Malware Config

Targets

    • Target

      NEAS.24bf7c47cb5c94e3ef84baf4dacce6f0.exe

    • Size

      1.4MB

    • MD5

      24bf7c47cb5c94e3ef84baf4dacce6f0

    • SHA1

      ae7892a2ca0fd30f4657a7d4b4f46d2e51069a8c

    • SHA256

      df41429f2b77bca4585a380bcf2bc1c734f8a1312c6311938b03e80376e74803

    • SHA512

      5630529f86dc585b4eaedab7e8eabc7f35b5dc5210488eec9a1fe8a55f1d408043674366df88591e29bc265f3e1afbc2712ad63b4748b09b79456f0ea839cf55

    • SSDEEP

      24576:qBBkOlRe8ZcXPuCyRdaN1yV/vELneAcCg8:uOOy8eEa1Jct8

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks