General

  • Target

    NEAS.ee9c47c40454820e89d46e4b89068090.exe

  • Size

    1.4MB

  • Sample

    231118-hm885sde7v

  • MD5

    ee9c47c40454820e89d46e4b89068090

  • SHA1

    74c981d480a6997b8f6f3ffe6c5ba9b005070f3d

  • SHA256

    1b09e5cee9450e879f4d7891c2dc502b952f897e095fa27514db95410d933550

  • SHA512

    36d6c66438758f6c11b0d4e44bcf3d677cc760b1ba4235e61c1ba26b2facc99d0e27b018bc07e0f18eee5626b31f6935c90529cbb9661bcb4e65ae9a5d22d399

  • SSDEEP

    24576:qBBkOlRe8ZcXPuCyRdaN1yV/vELneAcCg8:uOOy8eEa1Jct8

Malware Config

Targets

    • Target

      NEAS.ee9c47c40454820e89d46e4b89068090.exe

    • Size

      1.4MB

    • MD5

      ee9c47c40454820e89d46e4b89068090

    • SHA1

      74c981d480a6997b8f6f3ffe6c5ba9b005070f3d

    • SHA256

      1b09e5cee9450e879f4d7891c2dc502b952f897e095fa27514db95410d933550

    • SHA512

      36d6c66438758f6c11b0d4e44bcf3d677cc760b1ba4235e61c1ba26b2facc99d0e27b018bc07e0f18eee5626b31f6935c90529cbb9661bcb4e65ae9a5d22d399

    • SSDEEP

      24576:qBBkOlRe8ZcXPuCyRdaN1yV/vELneAcCg8:uOOy8eEa1Jct8

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks