General

  • Target

    115185cf7af582ac2fc2fe681a4a142e.exe

  • Size

    5.9MB

  • Sample

    231204-d22qdsgh26

  • MD5

    115185cf7af582ac2fc2fe681a4a142e

  • SHA1

    fe1be50829297758777a380d94f5b9f369ea4284

  • SHA256

    377f3033cdfdcf4b2bd6b9c2949abcb8d7973c2ade4115d1c622db274bfac687

  • SHA512

    813e8f1473a4f2fd902b5fed0835d1f9c5c5a1a64d9d55eef340421b4fbebe6a42a793a7364d45858172e502435603f3c0d18a532dd04e8cb39de20bd2209d45

  • SSDEEP

    98304:ByeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4:ByeU11Rvqmu8TWKnF6N/1w

Malware Config

Targets

    • Target

      115185cf7af582ac2fc2fe681a4a142e.exe

    • Size

      5.9MB

    • MD5

      115185cf7af582ac2fc2fe681a4a142e

    • SHA1

      fe1be50829297758777a380d94f5b9f369ea4284

    • SHA256

      377f3033cdfdcf4b2bd6b9c2949abcb8d7973c2ade4115d1c622db274bfac687

    • SHA512

      813e8f1473a4f2fd902b5fed0835d1f9c5c5a1a64d9d55eef340421b4fbebe6a42a793a7364d45858172e502435603f3c0d18a532dd04e8cb39de20bd2209d45

    • SSDEEP

      98304:ByeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4:ByeU11Rvqmu8TWKnF6N/1w

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks