General

  • Target

    9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad

  • Size

    3.7MB

  • Sample

    240514-aqs3bsbf5v

  • MD5

    6f2466923bafbabe0788c6126ff713d9

  • SHA1

    2fb2911f4a08458e9aa922e4b8f6e6b4a7c2c81c

  • SHA256

    9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad

  • SHA512

    ebc5f71d041828eb54781d5fee466b0026586dfe6929fb2327a7bfb016b13427f2177b7d405523ff3457f8a1808335d76fc24467de4ef0a9dcc0a41a638f5d30

  • SSDEEP

    98304:+XXAzJltvwAu5QfCWC2UxdYZhOIeBXJcu3O:+HAzXtzu5QfCWPK+/2tJcz

Malware Config

Targets

    • Target

      9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad

    • Size

      3.7MB

    • MD5

      6f2466923bafbabe0788c6126ff713d9

    • SHA1

      2fb2911f4a08458e9aa922e4b8f6e6b4a7c2c81c

    • SHA256

      9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad

    • SHA512

      ebc5f71d041828eb54781d5fee466b0026586dfe6929fb2327a7bfb016b13427f2177b7d405523ff3457f8a1808335d76fc24467de4ef0a9dcc0a41a638f5d30

    • SSDEEP

      98304:+XXAzJltvwAu5QfCWC2UxdYZhOIeBXJcu3O:+HAzXtzu5QfCWPK+/2tJcz

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Detects executables packed with SmartAssembly

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks