General

  • Target

    7803d28b1cfcb0c4f3a63515fea88508357e02dc2ee982f7ff1f0c2f40af3649.exe

  • Size

    3.3MB

  • Sample

    240325-cn3j4agc5z

  • MD5

    1d6590415fa189e9c982e883dc3bcdde

  • SHA1

    8261a5718af6eb9ebee4e822e5bd0138f7915dc3

  • SHA256

    7803d28b1cfcb0c4f3a63515fea88508357e02dc2ee982f7ff1f0c2f40af3649

  • SHA512

    304611cfa8c130dde5e4de5282d3d92a555b85d50889ea097dec9908d619c7d36ec28886c64aa0364d631c289d9bbf509c0ea0aeb7887c92fd91ee3d7834d07e

  • SSDEEP

    98304:oZ1HRsp8NbXaaIptoNMrF4NOgmwCof84h:oZVIaIpeOrmNOTwCol

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1219193245557325834/Pny7ckgnLuo9kv28SEntCevPyhBWlY4AfJu4MogOozH9-s-mNnQ7UZJcF1RdHsmmAwgC

Targets

    • Target

      7803d28b1cfcb0c4f3a63515fea88508357e02dc2ee982f7ff1f0c2f40af3649.exe

    • Size

      3.3MB

    • MD5

      1d6590415fa189e9c982e883dc3bcdde

    • SHA1

      8261a5718af6eb9ebee4e822e5bd0138f7915dc3

    • SHA256

      7803d28b1cfcb0c4f3a63515fea88508357e02dc2ee982f7ff1f0c2f40af3649

    • SHA512

      304611cfa8c130dde5e4de5282d3d92a555b85d50889ea097dec9908d619c7d36ec28886c64aa0364d631c289d9bbf509c0ea0aeb7887c92fd91ee3d7834d07e

    • SSDEEP

      98304:oZ1HRsp8NbXaaIptoNMrF4NOgmwCof84h:oZVIaIpeOrmNOTwCol

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Detect Umbral payload

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Detects executables attemping to enumerate video devices using WMI

    • Detects executables containing possible sandbox analysis VM names

    • Detects executables containing possible sandbox analysis VM usernames

    • Detects executables containing possible sandbox system UUIDs

    • Detects executables packed with SmartAssembly

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks