General

  • Target

    ca851ef16c519ecf785610e2db584a5b79f41c76916b28164e580e4fa1238715.exe

  • Size

    2.2MB

  • Sample

    240324-dktnfsha26

  • MD5

    e1d86c6e52c904e9af8bc1351a66a131

  • SHA1

    482741be08bba2ab5e3fd9d181a1dc8539121f8d

  • SHA256

    ca851ef16c519ecf785610e2db584a5b79f41c76916b28164e580e4fa1238715

  • SHA512

    fed19d61d82ef7bc267ee42413a5a6fa07f0cca4f1ca1f42ef4c294aef6bb9424b2b2dc9ea4cf0040dff5f526eaa5b07f561decf9a7310b93474657d718676b4

  • SSDEEP

    49152:UbA30bEln+8YPyZc6wkQbPVqlC8m5saKHaFg35:UbUJ+lyZKjVJDWaA5

Malware Config

Targets

    • Target

      ca851ef16c519ecf785610e2db584a5b79f41c76916b28164e580e4fa1238715.exe

    • Size

      2.2MB

    • MD5

      e1d86c6e52c904e9af8bc1351a66a131

    • SHA1

      482741be08bba2ab5e3fd9d181a1dc8539121f8d

    • SHA256

      ca851ef16c519ecf785610e2db584a5b79f41c76916b28164e580e4fa1238715

    • SHA512

      fed19d61d82ef7bc267ee42413a5a6fa07f0cca4f1ca1f42ef4c294aef6bb9424b2b2dc9ea4cf0040dff5f526eaa5b07f561decf9a7310b93474657d718676b4

    • SSDEEP

      49152:UbA30bEln+8YPyZc6wkQbPVqlC8m5saKHaFg35:UbUJ+lyZKjVJDWaA5

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Detects executables packed with SmartAssembly

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks