General

  • Target

    7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47

  • Size

    1.2MB

  • Sample

    240513-2zh29shg55

  • MD5

    7b05cf7f9e8162f55d50f10f711df29a

  • SHA1

    6c077351d11f6069067d69b6ece6d0989e972c99

  • SHA256

    7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47

  • SHA512

    275b2d3680a92510c0a72c5e369c5c2ca57be94b71e4c668a8be9874b85bf084a6d065973cfce685580ed123adfba95373338c0b2009be86399afcd4c7c1a0d8

  • SSDEEP

    24576:VR28aergLxCcjZGKCKFuTBHNWdd2HAxWnUDTJ/yS3Rh:bJaDKf4p4UD1v

Malware Config

Targets

    • Target

      7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47

    • Size

      1.2MB

    • MD5

      7b05cf7f9e8162f55d50f10f711df29a

    • SHA1

      6c077351d11f6069067d69b6ece6d0989e972c99

    • SHA256

      7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47

    • SHA512

      275b2d3680a92510c0a72c5e369c5c2ca57be94b71e4c668a8be9874b85bf084a6d065973cfce685580ed123adfba95373338c0b2009be86399afcd4c7c1a0d8

    • SSDEEP

      24576:VR28aergLxCcjZGKCKFuTBHNWdd2HAxWnUDTJ/yS3Rh:bJaDKf4p4UD1v

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Detects executables containing bas64 encoded gzip files

    • Detects executables packed with SmartAssembly

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks