General

  • Target

    BuildR.exe

  • Size

    1.2MB

  • Sample

    240601-qlcgsaea93

  • MD5

    6386c6bc5c2e9e6ea345b370f67868b6

  • SHA1

    534e13f301e9816d6df34ac36d31bfc1b03c1a39

  • SHA256

    d5ac904ea7afae96375fecfe74458e4aaa46f375edb12b950b23825e2ded11ae

  • SHA512

    85004597a30f91b42b857e66d2a186c0b359a884981f3ace452e270f618776233d2ed489e66b06aa8e6c0f25dedc76c827480c2bcb608bf6b17408c7d62712dd

  • SSDEEP

    24576:/2G/nvxW3WxE37uuHjiOZmd3Oq+PaEzSJUmgvPgyGGsOfCGHsIIm:/bA3HLffCG7rs4Hsg

Score
10/10

Malware Config

Targets

    • Target

      BuildR.exe

    • Size

      1.2MB

    • MD5

      6386c6bc5c2e9e6ea345b370f67868b6

    • SHA1

      534e13f301e9816d6df34ac36d31bfc1b03c1a39

    • SHA256

      d5ac904ea7afae96375fecfe74458e4aaa46f375edb12b950b23825e2ded11ae

    • SHA512

      85004597a30f91b42b857e66d2a186c0b359a884981f3ace452e270f618776233d2ed489e66b06aa8e6c0f25dedc76c827480c2bcb608bf6b17408c7d62712dd

    • SSDEEP

      24576:/2G/nvxW3WxE37uuHjiOZmd3Oq+PaEzSJUmgvPgyGGsOfCGHsIIm:/bA3HLffCG7rs4Hsg

    Score
    10/10
    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks