General

  • Target

    NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe

  • Size

    1.4MB

  • Sample

    231118-dfsklaah3s

  • MD5

    5e2ccb97d6bf2f8bedd6d473079c33b0

  • SHA1

    699314bf74a661917771308e7cd6d6b618af2827

  • SHA256

    6f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3

  • SHA512

    0f2dd039b746d157a65998328e4b599678904fb871d53f1a5d175671f2f1abae353d187d866a6b9240b3c81d77bb1a53527d32f7a9028be3e57290e7d05def93

  • SSDEEP

    24576:qBBkOlRe8ZcXPuCyRdaN1yV/vELneAcCg8:uOOy8eEa1Jct8

Malware Config

Targets

    • Target

      NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe

    • Size

      1.4MB

    • MD5

      5e2ccb97d6bf2f8bedd6d473079c33b0

    • SHA1

      699314bf74a661917771308e7cd6d6b618af2827

    • SHA256

      6f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3

    • SHA512

      0f2dd039b746d157a65998328e4b599678904fb871d53f1a5d175671f2f1abae353d187d866a6b9240b3c81d77bb1a53527d32f7a9028be3e57290e7d05def93

    • SSDEEP

      24576:qBBkOlRe8ZcXPuCyRdaN1yV/vELneAcCg8:uOOy8eEa1Jct8

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks