General

  • Target

    280568f45143f46f51bde5e6e158ded1.exe

  • Size

    5.9MB

  • Sample

    231204-e5dneaha2v

  • MD5

    280568f45143f46f51bde5e6e158ded1

  • SHA1

    338bb0b0c25df43c3a65f2d326c3c5fa09427f2d

  • SHA256

    34e740ecbaab29c15536abd6409bd10e1880a77eeb8a5a88e787051d4fd916a9

  • SHA512

    d8ed2ba7af1a444b1d2f36c6fb3edafb045b3446709456ead5e097186390a63365a5bd33e7fb18f8df4c0aa672b63923415bb76f8a91733219fc2046dd93107d

  • SSDEEP

    98304:xyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4:xyeU11Rvqmu8TWKnF6N/1w

Malware Config

Targets

    • Target

      280568f45143f46f51bde5e6e158ded1.exe

    • Size

      5.9MB

    • MD5

      280568f45143f46f51bde5e6e158ded1

    • SHA1

      338bb0b0c25df43c3a65f2d326c3c5fa09427f2d

    • SHA256

      34e740ecbaab29c15536abd6409bd10e1880a77eeb8a5a88e787051d4fd916a9

    • SHA512

      d8ed2ba7af1a444b1d2f36c6fb3edafb045b3446709456ead5e097186390a63365a5bd33e7fb18f8df4c0aa672b63923415bb76f8a91733219fc2046dd93107d

    • SSDEEP

      98304:xyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4:xyeU11Rvqmu8TWKnF6N/1w

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks