General

  • Target

    c94a64153474c42159e4fd3cc814710a6216fbecfffbb0a3262fecef5261da17.exe

  • Size

    827KB

  • Sample

    240512-kzbvhscc46

  • MD5

    260ef340594282d072fca9cc66273c50

  • SHA1

    78248970c18d7058e5c1abdcfe2e5df3320cbc64

  • SHA256

    c94a64153474c42159e4fd3cc814710a6216fbecfffbb0a3262fecef5261da17

  • SHA512

    d6dfb3f629e84f5b3a12b9f010c7e9ae9cb47fef178803139fd8a4af98c959f56fd5ba52fa2928399a4deeeffca056e9d4007338fec392e8e73c6f92b4ce15d4

  • SSDEEP

    12288:5/qsDbMYCPTE+y7b5adl7hBW6E7eeNoqq7nPZ6Z:VVCPTqb5ad5iX67nx6Z

Malware Config

Targets

    • Target

      c94a64153474c42159e4fd3cc814710a6216fbecfffbb0a3262fecef5261da17.exe

    • Size

      827KB

    • MD5

      260ef340594282d072fca9cc66273c50

    • SHA1

      78248970c18d7058e5c1abdcfe2e5df3320cbc64

    • SHA256

      c94a64153474c42159e4fd3cc814710a6216fbecfffbb0a3262fecef5261da17

    • SHA512

      d6dfb3f629e84f5b3a12b9f010c7e9ae9cb47fef178803139fd8a4af98c959f56fd5ba52fa2928399a4deeeffca056e9d4007338fec392e8e73c6f92b4ce15d4

    • SSDEEP

      12288:5/qsDbMYCPTE+y7b5adl7hBW6E7eeNoqq7nPZ6Z:VVCPTqb5ad5iX67nx6Z

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks