General

  • Target

    4cc156f578777710f3ce0c217664b9830ddfcab407f0c6de0cae10d5501d1ca1.exe

  • Size

    13.1MB

  • Sample

    240601-bmbvbadb95

  • MD5

    47ca55cdb30db720d739bfb73504b928

  • SHA1

    d0292acd8f617ce49e1830bd47e108c4c3f833e2

  • SHA256

    4cc156f578777710f3ce0c217664b9830ddfcab407f0c6de0cae10d5501d1ca1

  • SHA512

    6b265038b6f7b92238dcd33a9fac5cfca359df72107d037e038417d86a3a3bc79a46552ae3bfa8ab2aba257a72bb1b7f1584bc9ca3402483677ee9314d02af74

  • SSDEEP

    393216:cjMG3LZAmatuaWyJbpuSvTW00xyysfbtNcEH:cjr6matuapuSrW00xl4wEH

Malware Config

Targets

    • Target

      4cc156f578777710f3ce0c217664b9830ddfcab407f0c6de0cae10d5501d1ca1.exe

    • Size

      13.1MB

    • MD5

      47ca55cdb30db720d739bfb73504b928

    • SHA1

      d0292acd8f617ce49e1830bd47e108c4c3f833e2

    • SHA256

      4cc156f578777710f3ce0c217664b9830ddfcab407f0c6de0cae10d5501d1ca1

    • SHA512

      6b265038b6f7b92238dcd33a9fac5cfca359df72107d037e038417d86a3a3bc79a46552ae3bfa8ab2aba257a72bb1b7f1584bc9ca3402483677ee9314d02af74

    • SSDEEP

      393216:cjMG3LZAmatuaWyJbpuSvTW00xyysfbtNcEH:cjr6matuapuSrW00xl4wEH

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Downloads MZ/PE file

    • Sets file execution options in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Registers COM server for autorun

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks