General

  • Target

    NEAS.d175dc6216c44fae8c84bd4b3cdea920.exe

  • Size

    783KB

  • Sample

    231117-3c86lsge9s

  • MD5

    d175dc6216c44fae8c84bd4b3cdea920

  • SHA1

    69537acd660534c7d1a51c5783b87619163f6944

  • SHA256

    cde8755302bd741c496435709606fd8d904dbaf76bc745d99a1e0de4a736c619

  • SHA512

    76430dbf5a39846808d5150750bd1cfb91a576e3f057476dcb2d117b7d3fde935220961d29ef7f40fede9de84d6dd727b1a163a714d1bfdeb382c7a1a4246362

  • SSDEEP

    12288:GqnOYxdAgpoNeF91rg5iFdr0yQ9gYx+EIpakCYJRU7Q9bWoFzqK:G+OQbpbgsFdAyQvzSqaq8q

Malware Config

Targets

    • Target

      NEAS.d175dc6216c44fae8c84bd4b3cdea920.exe

    • Size

      783KB

    • MD5

      d175dc6216c44fae8c84bd4b3cdea920

    • SHA1

      69537acd660534c7d1a51c5783b87619163f6944

    • SHA256

      cde8755302bd741c496435709606fd8d904dbaf76bc745d99a1e0de4a736c619

    • SHA512

      76430dbf5a39846808d5150750bd1cfb91a576e3f057476dcb2d117b7d3fde935220961d29ef7f40fede9de84d6dd727b1a163a714d1bfdeb382c7a1a4246362

    • SSDEEP

      12288:GqnOYxdAgpoNeF91rg5iFdr0yQ9gYx+EIpakCYJRU7Q9bWoFzqK:G+OQbpbgsFdAyQvzSqaq8q

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Executes dropped EXE

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks