General

  • Target

    05e1e5f583a0b3fcd2942e510e043390_NeikiAnalytics.exe

  • Size

    3.5MB

  • Sample

    240516-wgqrhagf87

  • MD5

    05e1e5f583a0b3fcd2942e510e043390

  • SHA1

    419886ae23f5c570fc7b3d8566d283704babe8d2

  • SHA256

    7661633a313942bea214c2b817629c91bbfebbf0987c3f86b804bc0319391dda

  • SHA512

    371b6b2870a83ee15478f1e4f3b9e06c82ff1f92d7ed872f063fcea3dae74ef8aca3c79f6b345683c268cd2045aa2db811a1a1f543ebe20920c3d4099f9e1ce0

  • SSDEEP

    49152:ZYnbuYI15BEy23PvA9NLEhx7I7hm2MyOd5BIoH6h/Uey+AA3H:ZYn41uA3ET7c/Gd5BJgBy/A3H

Malware Config

Targets

    • Target

      05e1e5f583a0b3fcd2942e510e043390_NeikiAnalytics.exe

    • Size

      3.5MB

    • MD5

      05e1e5f583a0b3fcd2942e510e043390

    • SHA1

      419886ae23f5c570fc7b3d8566d283704babe8d2

    • SHA256

      7661633a313942bea214c2b817629c91bbfebbf0987c3f86b804bc0319391dda

    • SHA512

      371b6b2870a83ee15478f1e4f3b9e06c82ff1f92d7ed872f063fcea3dae74ef8aca3c79f6b345683c268cd2045aa2db811a1a1f543ebe20920c3d4099f9e1ce0

    • SSDEEP

      49152:ZYnbuYI15BEy23PvA9NLEhx7I7hm2MyOd5BIoH6h/Uey+AA3H:ZYn41uA3ET7c/Gd5BJgBy/A3H

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks