General

  • Target

    25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8

  • Size

    3.2MB

  • Sample

    240531-yhsctsba7t

  • MD5

    a785b1ff3467b61f4506c7022ad13e31

  • SHA1

    9f76c04963f2de14f4aaa13dcf9af98f79f89a91

  • SHA256

    25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8

  • SHA512

    ca56b31a25b23de63fc7131788c350f0081c5673fc7456781a93f2ec9852948d5500e5fd06c30924dd6614e7bc2a1bc9346f02e067a06bb4b26c96f70f6ad0c9

  • SSDEEP

    49152:nC0Fl8v/911bwaEYpdYUVsk3DZGAy55kBsfJGAW6KyWUcPmWQpE:nC0Fl8v/qXYrv5tG9uKJGAWl5N

Malware Config

Targets

    • Target

      25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8

    • Size

      3.2MB

    • MD5

      a785b1ff3467b61f4506c7022ad13e31

    • SHA1

      9f76c04963f2de14f4aaa13dcf9af98f79f89a91

    • SHA256

      25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8

    • SHA512

      ca56b31a25b23de63fc7131788c350f0081c5673fc7456781a93f2ec9852948d5500e5fd06c30924dd6614e7bc2a1bc9346f02e067a06bb4b26c96f70f6ad0c9

    • SSDEEP

      49152:nC0Fl8v/911bwaEYpdYUVsk3DZGAy55kBsfJGAW6KyWUcPmWQpE:nC0Fl8v/qXYrv5tG9uKJGAWl5N

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Detects executables packed with SmartAssembly

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks