General

  • Target

    47080165218405f220b00c0f6897517c.exe

  • Size

    3.0MB

  • Sample

    231209-kywtasffgp

  • MD5

    47080165218405f220b00c0f6897517c

  • SHA1

    9fdf2bf8eb32c906d42e8dcf5f35c902f58621cd

  • SHA256

    942ce9bb5178d33eb90530cb614c3857f6b76723548e2e2865655072f47ecc62

  • SHA512

    8e2221c7030c28d8e8220e801d0cac7120acc71e88ec87dce605ccbe69ff864bee8d757274743e37ca9931409535e0c75a3c915866eb19ced56e9aa915f883d0

  • SSDEEP

    49152:p+0qDsQS+bwE7hpfKHMvHUKxrjSx8TtT8ELcyfBdTAnygXsn/bF:p+psox0svHU3xCR8EjHgYb

Malware Config

Targets

    • Target

      47080165218405f220b00c0f6897517c.exe

    • Size

      3.0MB

    • MD5

      47080165218405f220b00c0f6897517c

    • SHA1

      9fdf2bf8eb32c906d42e8dcf5f35c902f58621cd

    • SHA256

      942ce9bb5178d33eb90530cb614c3857f6b76723548e2e2865655072f47ecc62

    • SHA512

      8e2221c7030c28d8e8220e801d0cac7120acc71e88ec87dce605ccbe69ff864bee8d757274743e37ca9931409535e0c75a3c915866eb19ced56e9aa915f883d0

    • SSDEEP

      49152:p+0qDsQS+bwE7hpfKHMvHUKxrjSx8TtT8ELcyfBdTAnygXsn/bF:p+psox0svHU3xCR8EjHgYb

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks