General

  • Target

    c7d3a9e1c14ce6fa9ddc47c32098a798100a765a5fb8ffab6f49d9e6fb1f61d8

  • Size

    1.2MB

  • Sample

    240512-dyy54aeb7t

  • MD5

    373dd03a991ad6f503798d8570c7fe5c

  • SHA1

    93070f297b0f28f0ff66deb0de540e8ab2e8ce32

  • SHA256

    c7d3a9e1c14ce6fa9ddc47c32098a798100a765a5fb8ffab6f49d9e6fb1f61d8

  • SHA512

    f50e23cdae54d334f4d58a33f4dc7ceba1d9c248a50adb523b1cc91ef2b18a5e0a6c739b9816850b4c42dc4ca5c7d5bb3e6c6add3b6e5237094c4b9725277b4f

  • SSDEEP

    24576:tR28aergLxCcjZGKCKFuTBHNWdd2HAxWnUDTJ/yS3Rh:zJaDKf4p4UD1v

Malware Config

Targets

    • Target

      c7d3a9e1c14ce6fa9ddc47c32098a798100a765a5fb8ffab6f49d9e6fb1f61d8

    • Size

      1.2MB

    • MD5

      373dd03a991ad6f503798d8570c7fe5c

    • SHA1

      93070f297b0f28f0ff66deb0de540e8ab2e8ce32

    • SHA256

      c7d3a9e1c14ce6fa9ddc47c32098a798100a765a5fb8ffab6f49d9e6fb1f61d8

    • SHA512

      f50e23cdae54d334f4d58a33f4dc7ceba1d9c248a50adb523b1cc91ef2b18a5e0a6c739b9816850b4c42dc4ca5c7d5bb3e6c6add3b6e5237094c4b9725277b4f

    • SSDEEP

      24576:tR28aergLxCcjZGKCKFuTBHNWdd2HAxWnUDTJ/yS3Rh:zJaDKf4p4UD1v

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Detects executables containing bas64 encoded gzip files

    • Detects executables packed with SmartAssembly

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks