General

  • Target

    15c730b69a961a70a764d6c103c8103d.exe

  • Size

    2.8MB

  • Sample

    240602-njt8pscc95

  • MD5

    15c730b69a961a70a764d6c103c8103d

  • SHA1

    8ab55ae4b0f5c3fca54b3d28f84bde5e6bf0aef8

  • SHA256

    09bbdf5b842a244123b81ba715cd80776f83fcff31994a07376112e3524135c5

  • SHA512

    5077678ca04b268d9ed1a872744731c3cd1ed8111bd303b8343e072889635e1a0297935b4547e22e1faf91616e5f82bbdb111bf1522482fe452f4bf3dfaed028

  • SSDEEP

    49152:ybA3ndI5sas0QmyluVk0fFEfGxe0CvSNlckd0hrXq8hil:ybL5sasSoGTaL0CvSf7E3E

Malware Config

Targets

    • Target

      15c730b69a961a70a764d6c103c8103d.exe

    • Size

      2.8MB

    • MD5

      15c730b69a961a70a764d6c103c8103d

    • SHA1

      8ab55ae4b0f5c3fca54b3d28f84bde5e6bf0aef8

    • SHA256

      09bbdf5b842a244123b81ba715cd80776f83fcff31994a07376112e3524135c5

    • SHA512

      5077678ca04b268d9ed1a872744731c3cd1ed8111bd303b8343e072889635e1a0297935b4547e22e1faf91616e5f82bbdb111bf1522482fe452f4bf3dfaed028

    • SSDEEP

      49152:ybA3ndI5sas0QmyluVk0fFEfGxe0CvSNlckd0hrXq8hil:ybL5sasSoGTaL0CvSf7E3E

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks whether UAC is enabled

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks