General

  • Target

    test.exe

  • Size

    1.5MB

  • Sample

    240602-kcw7yagg55

  • MD5

    175a4d8eac271af8d3bad9650aa69de2

  • SHA1

    50dc4f5bbc8534d448c3bfdb399895c89f35f429

  • SHA256

    e6f5a22e02d955d98c78d0c327071b908e17b033be56a979f1350d24b399f0d7

  • SHA512

    0d07d210133147144cbd0f72be0a893b2bb14124a50051e83b48d21d7d0ed4dcbb835b4ddef82cb6a06e8afeef3dca6b2de6146e338a866fba5936404b2cd7a1

  • SSDEEP

    24576:u2G/nvxW3WieCu5Rqq93u1h7mGIPOD5HRGbkFc9QomqJ:ubA3ju5Ro1Fm+kAFQx

Malware Config

Targets

    • Target

      test.exe

    • Size

      1.5MB

    • MD5

      175a4d8eac271af8d3bad9650aa69de2

    • SHA1

      50dc4f5bbc8534d448c3bfdb399895c89f35f429

    • SHA256

      e6f5a22e02d955d98c78d0c327071b908e17b033be56a979f1350d24b399f0d7

    • SHA512

      0d07d210133147144cbd0f72be0a893b2bb14124a50051e83b48d21d7d0ed4dcbb835b4ddef82cb6a06e8afeef3dca6b2de6146e338a866fba5936404b2cd7a1

    • SSDEEP

      24576:u2G/nvxW3WieCu5Rqq93u1h7mGIPOD5HRGbkFc9QomqJ:ubA3ju5Ro1Fm+kAFQx

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Enterprise v15

Tasks