General

  • Target

    2d41eca3ec808efb425bdc7ea84d67bb.bin

  • Size

    17.9MB

  • Sample

    240531-brszdsah35

  • MD5

    c39f3958f7bbc4aa20bbc1876a3ce3a4

  • SHA1

    d9afd10245b7464b2a2fe43ee17c9452fa2caa76

  • SHA256

    5c4cd1684c9df3babb8eea5b6c37f80015b9b9c0fd1e4548e4cc5b36005471e5

  • SHA512

    d1b2645cb47130df2a7a31e23c5a3e80fb12136093d9b3e020b9c0728d6d775a3bcc6269a3da4606802836bd7af1e2acac53cb2b08143aef36e02255e1f7c1d4

  • SSDEEP

    393216:Lxr+jLWZvegsj9ABa7BLrm4mbXZxg/rK/DEpejqUyUPI0mMF1weIjcDg:Lxr+uUgc9ABiBLi3z6FejqUy3aLajcc

Malware Config

Targets

    • Target

      a539cf912da1307e901cb90312df5273b8702492e6a0f4e4802cd4004919b3e4.exe

    • Size

      18.0MB

    • MD5

      2d41eca3ec808efb425bdc7ea84d67bb

    • SHA1

      aaf40e152a63229732b66581840bc2cb7b86eab0

    • SHA256

      a539cf912da1307e901cb90312df5273b8702492e6a0f4e4802cd4004919b3e4

    • SHA512

      dd8e446002817a6401b9aa7d05ed0614efdcf1f1b338b206d90ef10e09a8a49438bc646118bacf0c2a1eb1ecdb773a5cec04ed897e57e238dfc4b4b7af468b56

    • SSDEEP

      393216:/BeVnrj1rhDY+kPskzQsFBkw5/XPZ3w/okY3VoOTWOL7E7:UVrj1Fc+Xy/NCwVoOTe

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks