General

  • Target

    ddea9b5a1f17983048d1cd11bae94bdf

  • Size

    3.0MB

  • Sample

    240325-nrn2naed79

  • MD5

    ddea9b5a1f17983048d1cd11bae94bdf

  • SHA1

    fe8624e9b4556935b96a6d418680d236b0edc3aa

  • SHA256

    7e4a32495bf612f02d618faf6558d0e214e3b9d0f6ba520aedfbd022fa12166d

  • SHA512

    d46edd04eba4b7a5bb4d3518746077dfd5f98872043510f995002e0cfd13130e9e0bc25a4368ed80390f6d879a6f6367e20677d9ca86af5a2557dc552964fa1d

  • SSDEEP

    49152:UbA30mALm8Yh9RN0IrSRKEcRPAU9w0VzOl1awnoN5rJsFzIMuczH:UbrBY5N0IrSsEcRb+l9OZ0kM7j

Malware Config

Targets

    • Target

      ddea9b5a1f17983048d1cd11bae94bdf

    • Size

      3.0MB

    • MD5

      ddea9b5a1f17983048d1cd11bae94bdf

    • SHA1

      fe8624e9b4556935b96a6d418680d236b0edc3aa

    • SHA256

      7e4a32495bf612f02d618faf6558d0e214e3b9d0f6ba520aedfbd022fa12166d

    • SHA512

      d46edd04eba4b7a5bb4d3518746077dfd5f98872043510f995002e0cfd13130e9e0bc25a4368ed80390f6d879a6f6367e20677d9ca86af5a2557dc552964fa1d

    • SSDEEP

      49152:UbA30mALm8Yh9RN0IrSRKEcRPAU9w0VzOl1awnoN5rJsFzIMuczH:UbrBY5N0IrSsEcRb+l9OZ0kM7j

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks