General

  • Target

    Delta V3.61 b_68875918.exe

  • Size

    10.6MB

  • Sample

    231204-xmvs3see42

  • MD5

    12ef5a2e4334f078106472e24d385c49

  • SHA1

    5958b2805c7e0d316b8a5d4bfc97eb82cf632942

  • SHA256

    adb4b7fb0fccc4509ec2b1e214fe3840f6ba0a91436d8a2f93287acdd4bb55c1

  • SHA512

    a236bd9253dafdc7aed54d53078818ac8e553d8bde47ba6bc1ffc410b642368b4694feaba136aa66876c2acee805216ce3d48ad5498eecaa17f1f2be1e9ebeed

  • SSDEEP

    196608:jHW9mQcHOeABYMq++riI3PyBwUyjJjXtbAiYXKCkifCgAzk4i:DW5fB+N3PawUeXCLXFVKhk

Malware Config

Targets

    • Target

      Delta V3.61 b_68875918.exe

    • Size

      10.6MB

    • MD5

      12ef5a2e4334f078106472e24d385c49

    • SHA1

      5958b2805c7e0d316b8a5d4bfc97eb82cf632942

    • SHA256

      adb4b7fb0fccc4509ec2b1e214fe3840f6ba0a91436d8a2f93287acdd4bb55c1

    • SHA512

      a236bd9253dafdc7aed54d53078818ac8e553d8bde47ba6bc1ffc410b642368b4694feaba136aa66876c2acee805216ce3d48ad5498eecaa17f1f2be1e9ebeed

    • SSDEEP

      196608:jHW9mQcHOeABYMq++riI3PyBwUyjJjXtbAiYXKCkifCgAzk4i:DW5fB+N3PawUeXCLXFVKhk

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Blocklisted process makes network request

    • Disables Task Manager via registry modification

    • Executes dropped EXE

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks