General

  • Target

    NEAS.a06fa90672e47f8037a0cba516c51180.exe

  • Size

    1.4MB

  • Sample

    231117-w23xkacd92

  • MD5

    a06fa90672e47f8037a0cba516c51180

  • SHA1

    6ac9fc25a9460cf0c1a519b3167a97ce81f08532

  • SHA256

    b281b6bc08d7676f5dc0998e39bd123a4c7af5e97694da7a2ed57161adeb264b

  • SHA512

    5b5a698362b9a66a9ac771fd06bdc08cb96a9845ba5d47afdfa1ffa640a750dc928c22387d72d1a4da1ce313057a9efd56cfa960f24340f558e0b43e173cb881

  • SSDEEP

    24576:qBBkOlRe8ZcXPuCyRdaN1yV/vELneAcCg8:uOOy8eEa1Jct8

Malware Config

Targets

    • Target

      NEAS.a06fa90672e47f8037a0cba516c51180.exe

    • Size

      1.4MB

    • MD5

      a06fa90672e47f8037a0cba516c51180

    • SHA1

      6ac9fc25a9460cf0c1a519b3167a97ce81f08532

    • SHA256

      b281b6bc08d7676f5dc0998e39bd123a4c7af5e97694da7a2ed57161adeb264b

    • SHA512

      5b5a698362b9a66a9ac771fd06bdc08cb96a9845ba5d47afdfa1ffa640a750dc928c22387d72d1a4da1ce313057a9efd56cfa960f24340f558e0b43e173cb881

    • SSDEEP

      24576:qBBkOlRe8ZcXPuCyRdaN1yV/vELneAcCg8:uOOy8eEa1Jct8

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks