General

  • Target

    NEAS.8a3f7accb656f787354b8280323176a0.exe

  • Size

    783KB

  • Sample

    231118-gjfxrabh92

  • MD5

    8a3f7accb656f787354b8280323176a0

  • SHA1

    c9544d9107ed710954bf4b575598cc392d567f26

  • SHA256

    32b2a8994267885e9c2e1b70dfe03a088e45714f90f9aab8c5c89649dba6b80f

  • SHA512

    c81e198a992c469d5e533cc35a7604fc00097b2c2d4bf0ebed85487f4d9708c8adca543ebf11963d464e007379bc7e62a00bdca84d7dec79b7cefbaa9775bb7e

  • SSDEEP

    12288:GqnOYxdAgpoNeF91rg5iFdr0yQ9gYx+EIpakCYJRU7Q9bWoFzqK:G+OQbpbgsFdAyQvzSqaq8q

Malware Config

Targets

    • Target

      NEAS.8a3f7accb656f787354b8280323176a0.exe

    • Size

      783KB

    • MD5

      8a3f7accb656f787354b8280323176a0

    • SHA1

      c9544d9107ed710954bf4b575598cc392d567f26

    • SHA256

      32b2a8994267885e9c2e1b70dfe03a088e45714f90f9aab8c5c89649dba6b80f

    • SHA512

      c81e198a992c469d5e533cc35a7604fc00097b2c2d4bf0ebed85487f4d9708c8adca543ebf11963d464e007379bc7e62a00bdca84d7dec79b7cefbaa9775bb7e

    • SSDEEP

      12288:GqnOYxdAgpoNeF91rg5iFdr0yQ9gYx+EIpakCYJRU7Q9bWoFzqK:G+OQbpbgsFdAyQvzSqaq8q

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Executes dropped EXE

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks