General

  • Target

    55E1910554C49614E6012367C09E13AB.exe

  • Size

    3.3MB

  • Sample

    240323-ehcgtsdb49

  • MD5

    55e1910554c49614e6012367c09e13ab

  • SHA1

    eb7bf3329b438593c6a1a16e0b7bec39095ac149

  • SHA256

    b97e2d55213c845bb9055906a5357723d523397c6d5b6d48a0115c9bd00f67de

  • SHA512

    ee01c2399f39b675ca3f41817c6f337f94dbec1fce97ae25f134b00296be3c71a17073b56142485d991f7c5349db41eec5f6e925aab3982adef0455a5f7202c2

  • SSDEEP

    49152:o8xhCcpCNPulYCFckZHvEdM1jegx7oOCM1Gn72tESduILWMJd33eRkX2EuFgtDGg:NhrChV+cU/NeBPMY72tRR0EuUG

Malware Config

Targets

    • Target

      55E1910554C49614E6012367C09E13AB.exe

    • Size

      3.3MB

    • MD5

      55e1910554c49614e6012367c09e13ab

    • SHA1

      eb7bf3329b438593c6a1a16e0b7bec39095ac149

    • SHA256

      b97e2d55213c845bb9055906a5357723d523397c6d5b6d48a0115c9bd00f67de

    • SHA512

      ee01c2399f39b675ca3f41817c6f337f94dbec1fce97ae25f134b00296be3c71a17073b56142485d991f7c5349db41eec5f6e925aab3982adef0455a5f7202c2

    • SSDEEP

      49152:o8xhCcpCNPulYCFckZHvEdM1jegx7oOCM1Gn72tESduILWMJd33eRkX2EuFgtDGg:NhrChV+cU/NeBPMY72tRR0EuUG

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks