General

  • Target

    NEAS.12512b9fc15ed49fb1066046fb8fed90.exe

  • Size

    1.4MB

  • Sample

    231118-cz473aae7t

  • MD5

    12512b9fc15ed49fb1066046fb8fed90

  • SHA1

    480b04304f83fa8b96d28e060068fbc11c9b3a05

  • SHA256

    cf16e32b1b72e0e7cc452b225cce99b35336453e41d3618f28f8766553fc4bb0

  • SHA512

    d79b92c2a5ada634a829c9642818178fed1ba67464b008cd1e0d6e1d5be4b8b7255cad5cac9d0ffb16bf822fc0e9a47c9accef0b04530b04cc8056a575cac7a9

  • SSDEEP

    24576:qBBkOlRe8ZcXPuCyRdaN1yV/vELneAcCg8:uOOy8eEa1Jct8

Malware Config

Targets

    • Target

      NEAS.12512b9fc15ed49fb1066046fb8fed90.exe

    • Size

      1.4MB

    • MD5

      12512b9fc15ed49fb1066046fb8fed90

    • SHA1

      480b04304f83fa8b96d28e060068fbc11c9b3a05

    • SHA256

      cf16e32b1b72e0e7cc452b225cce99b35336453e41d3618f28f8766553fc4bb0

    • SHA512

      d79b92c2a5ada634a829c9642818178fed1ba67464b008cd1e0d6e1d5be4b8b7255cad5cac9d0ffb16bf822fc0e9a47c9accef0b04530b04cc8056a575cac7a9

    • SSDEEP

      24576:qBBkOlRe8ZcXPuCyRdaN1yV/vELneAcCg8:uOOy8eEa1Jct8

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks