General

  • Target

    NEAS.24e987e71fc72787f57c06150877deb0.exe

  • Size

    1.4MB

  • Sample

    231117-3s9gbaff56

  • MD5

    24e987e71fc72787f57c06150877deb0

  • SHA1

    dc00c59c8cc7f5f59a23740400783592833f7105

  • SHA256

    de48971318f0a4d6cef33221ea1119a8e94d1b2f4ce2d4891e5d4e1252516526

  • SHA512

    4d787553840a77d89eb8bb18e2edd42870fbc7a449b9cf9116ef935cd82b078555bb3b5ba8b7cc6933c4710f3a75eed2a5ddf8a5d42e5b27d7867c2a1d95f7fe

  • SSDEEP

    24576:qBBkOlRe8ZcXPuCyRdaN1yV/vELneAcCg8:uOOy8eEa1Jct8

Malware Config

Targets

    • Target

      NEAS.24e987e71fc72787f57c06150877deb0.exe

    • Size

      1.4MB

    • MD5

      24e987e71fc72787f57c06150877deb0

    • SHA1

      dc00c59c8cc7f5f59a23740400783592833f7105

    • SHA256

      de48971318f0a4d6cef33221ea1119a8e94d1b2f4ce2d4891e5d4e1252516526

    • SHA512

      4d787553840a77d89eb8bb18e2edd42870fbc7a449b9cf9116ef935cd82b078555bb3b5ba8b7cc6933c4710f3a75eed2a5ddf8a5d42e5b27d7867c2a1d95f7fe

    • SSDEEP

      24576:qBBkOlRe8ZcXPuCyRdaN1yV/vELneAcCg8:uOOy8eEa1Jct8

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks