General

  • Target

    NEAS.StandoffNerect.exe

  • Size

    2.9MB

  • Sample

    231117-vbss8sbc59

  • MD5

    d379e0c6cc18383e9ee3a6d18a580bb3

  • SHA1

    d3ca3575369eac435245d2cf5a368bdcfb858ee7

  • SHA256

    bf3ec2b49166bfead5ad4eb1c13a53bf8f170cca0bed429741ef974d30350c2f

  • SHA512

    b531de741ba315889d952ee5981adacc064233584e763475fcf526f92a26c43fa0615c3bbffe939d572c78dd333f6fcbb791c9e367ea1bbfe6a8b8a4874c2f4f

  • SSDEEP

    49152:wbA31rOJYaxyU0apdmAZnZ+Im7UVfAf3nVtG/GiRa7KCDPoTicNiDEfI9IX:wb0EMUndman1VIvHGeoaxwTicNVfuQ

Malware Config

Targets

    • Target

      NEAS.StandoffNerect.exe

    • Size

      2.9MB

    • MD5

      d379e0c6cc18383e9ee3a6d18a580bb3

    • SHA1

      d3ca3575369eac435245d2cf5a368bdcfb858ee7

    • SHA256

      bf3ec2b49166bfead5ad4eb1c13a53bf8f170cca0bed429741ef974d30350c2f

    • SHA512

      b531de741ba315889d952ee5981adacc064233584e763475fcf526f92a26c43fa0615c3bbffe939d572c78dd333f6fcbb791c9e367ea1bbfe6a8b8a4874c2f4f

    • SSDEEP

      49152:wbA31rOJYaxyU0apdmAZnZ+Im7UVfAf3nVtG/GiRa7KCDPoTicNiDEfI9IX:wb0EMUndman1VIvHGeoaxwTicNVfuQ

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks