General

  • Target

    149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0

  • Size

    1.7MB

  • Sample

    240513-xj3phshf81

  • MD5

    2654ed21f41ddf23c0bcad4b7fe550e1

  • SHA1

    55191e232ee3851a66f264cc3f163a5a14c84843

  • SHA256

    149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0

  • SHA512

    748d64575954c442b1a261a8b647b4dd9af93b42382bb227972c977818ed155bc93a8afc1e7e7edcf62da32877581fb9a42b87521bc849be45a27711639a0c2d

  • SSDEEP

    24576:w2G/nvxW3WieChFP0UI2K/L7OXxfeacboEkAGpkXqde7u0GUzzGQYpXTcviXSzDI:wbA3jYUI2JX68Ncu0fnS5yiXSzD

Malware Config

Targets

    • Target

      149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0

    • Size

      1.7MB

    • MD5

      2654ed21f41ddf23c0bcad4b7fe550e1

    • SHA1

      55191e232ee3851a66f264cc3f163a5a14c84843

    • SHA256

      149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0

    • SHA512

      748d64575954c442b1a261a8b647b4dd9af93b42382bb227972c977818ed155bc93a8afc1e7e7edcf62da32877581fb9a42b87521bc849be45a27711639a0c2d

    • SSDEEP

      24576:w2G/nvxW3WieChFP0UI2K/L7OXxfeacboEkAGpkXqde7u0GUzzGQYpXTcviXSzDI:wbA3jYUI2JX68Ncu0fnS5yiXSzD

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks