General

  • Target

    6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4

  • Size

    1.7MB

  • Sample

    240601-2lrr9ahc8x

  • MD5

    39f0dd73b6cd3626818cb2f1dc808fff

  • SHA1

    5a75243e011e0b435225548d7d332a5401813c7a

  • SHA256

    6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4

  • SHA512

    c4a72e89c655dbd54fe1f9ace1e5106b589f145a67226f857bb0d118036f244bf040c6043cd95ec89f4097c96789cf85b9954dc5a99df78417f1b349e34ad5f0

  • SSDEEP

    24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ:NgwuuEpdDLNwVMeXDL0fdSzAG

Malware Config

Targets

    • Target

      6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4

    • Size

      1.7MB

    • MD5

      39f0dd73b6cd3626818cb2f1dc808fff

    • SHA1

      5a75243e011e0b435225548d7d332a5401813c7a

    • SHA256

      6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4

    • SHA512

      c4a72e89c655dbd54fe1f9ace1e5106b589f145a67226f857bb0d118036f244bf040c6043cd95ec89f4097c96789cf85b9954dc5a99df78417f1b349e34ad5f0

    • SSDEEP

      24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ:NgwuuEpdDLNwVMeXDL0fdSzAG

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Detects executables packed with SmartAssembly

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks