General

  • Target

    NEAS.45848f39a541d1778a1985e41060aae0.exe

  • Size

    1.4MB

  • Sample

    231117-3y7jxagh3t

  • MD5

    45848f39a541d1778a1985e41060aae0

  • SHA1

    a0492acdcc7e53d3f0291fcda57847553825c6a0

  • SHA256

    047c4802b4c4dcd11d55ef0d671efd5f15f3f30d8efdda6c7b08a33e6eac3acb

  • SHA512

    8db844fad8d4fefe0465900d07990f87225a1099370544bca578ad491173fd6ed6e4e540c120d970e0df7bb4c21690d5e0d36d2ebe7972d0fa54eccfa6e7ce9c

  • SSDEEP

    24576:qBBkOlRe8ZcXPuCyRdaN1yV/vELneAcCg8:uOOy8eEa1Jct8

Malware Config

Targets

    • Target

      NEAS.45848f39a541d1778a1985e41060aae0.exe

    • Size

      1.4MB

    • MD5

      45848f39a541d1778a1985e41060aae0

    • SHA1

      a0492acdcc7e53d3f0291fcda57847553825c6a0

    • SHA256

      047c4802b4c4dcd11d55ef0d671efd5f15f3f30d8efdda6c7b08a33e6eac3acb

    • SHA512

      8db844fad8d4fefe0465900d07990f87225a1099370544bca578ad491173fd6ed6e4e540c120d970e0df7bb4c21690d5e0d36d2ebe7972d0fa54eccfa6e7ce9c

    • SSDEEP

      24576:qBBkOlRe8ZcXPuCyRdaN1yV/vELneAcCg8:uOOy8eEa1Jct8

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks