General

  • Target

    NEAS.4d7463d7f489ec7de6ebea288af19270.exe

  • Size

    1.4MB

  • Sample

    231117-1krkesee22

  • MD5

    4d7463d7f489ec7de6ebea288af19270

  • SHA1

    3a350b9badebb0d9f31bf6472d6f5c69d246ef39

  • SHA256

    bf5bf5a95a275819c1630814b9333fe1fe19d973ecb498de8c56938fa21bfb48

  • SHA512

    1dbc0a0de6fba1461383bcae6bbaece31684f395dd944a5c0b55a071180532772cf23d9b887be7b77e2baa447d54fcead93711709106baca58066d2d5604c6e4

  • SSDEEP

    24576:qBBkOlRe8ZcXPuCyRdaN1yV/vELneAcCg8:uOOy8eEa1Jct8

Malware Config

Targets

    • Target

      NEAS.4d7463d7f489ec7de6ebea288af19270.exe

    • Size

      1.4MB

    • MD5

      4d7463d7f489ec7de6ebea288af19270

    • SHA1

      3a350b9badebb0d9f31bf6472d6f5c69d246ef39

    • SHA256

      bf5bf5a95a275819c1630814b9333fe1fe19d973ecb498de8c56938fa21bfb48

    • SHA512

      1dbc0a0de6fba1461383bcae6bbaece31684f395dd944a5c0b55a071180532772cf23d9b887be7b77e2baa447d54fcead93711709106baca58066d2d5604c6e4

    • SSDEEP

      24576:qBBkOlRe8ZcXPuCyRdaN1yV/vELneAcCg8:uOOy8eEa1Jct8

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks