General

  • Target

    a539cf912da1307e901cb90312df5273b8702492e6a0f4e4802cd4004919b3e4.exe

  • Size

    18.0MB

  • Sample

    240530-btqxtaad75

  • MD5

    2d41eca3ec808efb425bdc7ea84d67bb

  • SHA1

    aaf40e152a63229732b66581840bc2cb7b86eab0

  • SHA256

    a539cf912da1307e901cb90312df5273b8702492e6a0f4e4802cd4004919b3e4

  • SHA512

    dd8e446002817a6401b9aa7d05ed0614efdcf1f1b338b206d90ef10e09a8a49438bc646118bacf0c2a1eb1ecdb773a5cec04ed897e57e238dfc4b4b7af468b56

  • SSDEEP

    393216:/BeVnrj1rhDY+kPskzQsFBkw5/XPZ3w/okY3VoOTWOL7E7:UVrj1Fc+Xy/NCwVoOTe

Malware Config

Targets

    • Target

      a539cf912da1307e901cb90312df5273b8702492e6a0f4e4802cd4004919b3e4.exe

    • Size

      18.0MB

    • MD5

      2d41eca3ec808efb425bdc7ea84d67bb

    • SHA1

      aaf40e152a63229732b66581840bc2cb7b86eab0

    • SHA256

      a539cf912da1307e901cb90312df5273b8702492e6a0f4e4802cd4004919b3e4

    • SHA512

      dd8e446002817a6401b9aa7d05ed0614efdcf1f1b338b206d90ef10e09a8a49438bc646118bacf0c2a1eb1ecdb773a5cec04ed897e57e238dfc4b4b7af468b56

    • SSDEEP

      393216:/BeVnrj1rhDY+kPskzQsFBkw5/XPZ3w/okY3VoOTWOL7E7:UVrj1Fc+Xy/NCwVoOTe

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Detects executables containing bas64 encoded gzip files

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks