General

  • Target

    NEAS.d0f98ae4d8b585e9e7ea3258fd72b21dece44a9dd018eff8f0b890c579fa324aexe.exe

  • Size

    2.8MB

  • Sample

    231204-tqhq5scf49

  • MD5

    67d63647fd74c386be72f970b7de593f

  • SHA1

    c23f60cbf8045860a71a1287c495ea326d9279d8

  • SHA256

    d0f98ae4d8b585e9e7ea3258fd72b21dece44a9dd018eff8f0b890c579fa324a

  • SHA512

    e7edec285b1b11082634e5b07295c03576502b60d2a0ec8cee50afd0a08d2c671b280295ef11c45404dddb8c1577d01164991ba2b1ee9f1df01cfbbb664725e0

  • SSDEEP

    24576:kU2/NtvgQqx9REEG8JeKMRcUZ4z/4/kY8HdBOVoYGZxdKmhACS4rm79JioLobI5y:hWNtg6+Maq0AL8xHACS4rojaL

Malware Config

Targets

    • Target

      NEAS.d0f98ae4d8b585e9e7ea3258fd72b21dece44a9dd018eff8f0b890c579fa324aexe.exe

    • Size

      2.8MB

    • MD5

      67d63647fd74c386be72f970b7de593f

    • SHA1

      c23f60cbf8045860a71a1287c495ea326d9279d8

    • SHA256

      d0f98ae4d8b585e9e7ea3258fd72b21dece44a9dd018eff8f0b890c579fa324a

    • SHA512

      e7edec285b1b11082634e5b07295c03576502b60d2a0ec8cee50afd0a08d2c671b280295ef11c45404dddb8c1577d01164991ba2b1ee9f1df01cfbbb664725e0

    • SSDEEP

      24576:kU2/NtvgQqx9REEG8JeKMRcUZ4z/4/kY8HdBOVoYGZxdKmhACS4rm79JioLobI5y:hWNtg6+Maq0AL8xHACS4rojaL

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks