General

  • Target

    0E38F27D79158A60EB55B2CC9A53D711.exe

  • Size

    11.0MB

  • Sample

    240530-c3kmtscd56

  • MD5

    0e38f27d79158a60eb55b2cc9a53d711

  • SHA1

    088e81dd3cafb143133da25124a0880a29c448f0

  • SHA256

    9dfff6301fe6d08ea16c8e4b67c8f073b2de0fc3657539ba93fc68e66e5da471

  • SHA512

    ad052b98001936e0e71f89c8c7c117feda317c4a4ff5b0fd3403db2d90cb38d0bd2a7f7396ddf777ddf4d04e992edd2c1e1f288761060c436183d23490363c78

  • SSDEEP

    196608:XDjdqua/WBpKJiziKUKRzBVCzTsx7nJJHywSBJa53pyRQ1I34jMGM:XNm+BpYiuK9RzBIzTsBSBJaBpyRQyoQj

Malware Config

Targets

    • Target

      0E38F27D79158A60EB55B2CC9A53D711.exe

    • Size

      11.0MB

    • MD5

      0e38f27d79158a60eb55b2cc9a53d711

    • SHA1

      088e81dd3cafb143133da25124a0880a29c448f0

    • SHA256

      9dfff6301fe6d08ea16c8e4b67c8f073b2de0fc3657539ba93fc68e66e5da471

    • SHA512

      ad052b98001936e0e71f89c8c7c117feda317c4a4ff5b0fd3403db2d90cb38d0bd2a7f7396ddf777ddf4d04e992edd2c1e1f288761060c436183d23490363c78

    • SSDEEP

      196608:XDjdqua/WBpKJiziKUKRzBVCzTsx7nJJHywSBJa53pyRQ1I34jMGM:XNm+BpYiuK9RzBIzTsBSBJaBpyRQyoQj

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks