General

  • Target

    NEAS.StandoffCheatsetup.exe

  • Size

    3.0MB

  • Sample

    231117-t73gwacc4v

  • MD5

    619b6faee14d0b8b96fd8132a85a898c

  • SHA1

    d659003f71ff328af7d3a0477f668f84560cd035

  • SHA256

    b43b47c0c78016ff192685d26d4340bf1db938fbde1492bcb7ec7d21f9e45568

  • SHA512

    16d05a8b3d55da7b3ece682552debc79876336267f0c93fcdb860f80d5ff47c30b9ed67b9bce44f30a6cb065dcc41518ddccf3c41594429628e3ceb2f18433a2

  • SSDEEP

    49152:dbA3sLRsklS8RXLmElMOrhc7kqR4xVtMWmiPsyFq/a+NCgjLCY74ln/6:dbfukfJmEl7hyR4xVtHTPsyFWFGln/6

Malware Config

Targets

    • Target

      NEAS.StandoffCheatsetup.exe

    • Size

      3.0MB

    • MD5

      619b6faee14d0b8b96fd8132a85a898c

    • SHA1

      d659003f71ff328af7d3a0477f668f84560cd035

    • SHA256

      b43b47c0c78016ff192685d26d4340bf1db938fbde1492bcb7ec7d21f9e45568

    • SHA512

      16d05a8b3d55da7b3ece682552debc79876336267f0c93fcdb860f80d5ff47c30b9ed67b9bce44f30a6cb065dcc41518ddccf3c41594429628e3ceb2f18433a2

    • SSDEEP

      49152:dbA3sLRsklS8RXLmElMOrhc7kqR4xVtMWmiPsyFq/a+NCgjLCY74ln/6:dbfukfJmEl7hyR4xVtHTPsyFWFGln/6

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks