General

  • Target

    CodeBreakerLoader_upd.exe

  • Size

    1.3MB

  • Sample

    240512-l4rbfaaf7t

  • MD5

    a0ffef11ce8c416f14343ebe0762091d

  • SHA1

    1cc1f6b1c2da06f2e876a2e538f98b39c563f790

  • SHA256

    d7d6202f1c8f4e020e239da950edb219ddbc22f2fd119d37b1ae7dac6bd82088

  • SHA512

    a141588fa02287762b5a6a372f88abe4eb8453ebb49311a915dec55f2363eb9b96fd15ce2566eec28436b74a4c6529936d089a5b4a955da6f20236d533f10efd

  • SSDEEP

    24576:G2G/nvxW3WjL76C14yIUzKfuB5+M1eWhWx24yKlM3ipj49:GbA3m6C14y4uB/oxgUw0y

Malware Config

Targets

    • Target

      CodeBreakerLoader_upd.exe

    • Size

      1.3MB

    • MD5

      a0ffef11ce8c416f14343ebe0762091d

    • SHA1

      1cc1f6b1c2da06f2e876a2e538f98b39c563f790

    • SHA256

      d7d6202f1c8f4e020e239da950edb219ddbc22f2fd119d37b1ae7dac6bd82088

    • SHA512

      a141588fa02287762b5a6a372f88abe4eb8453ebb49311a915dec55f2363eb9b96fd15ce2566eec28436b74a4c6529936d089a5b4a955da6f20236d533f10efd

    • SSDEEP

      24576:G2G/nvxW3WjL76C14yIUzKfuB5+M1eWhWx24yKlM3ipj49:GbA3m6C14y4uB/oxgUw0y

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Disables Task Manager via registry modification

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks