General

  • Target

    EXCheker.rar

  • Size

    954KB

  • Sample

    240618-knyvxawbqg

  • MD5

    e69eb402522292a72d53e50d29c7b7ec

  • SHA1

    b471f17c18667453cfc887f7657aa863893d0d50

  • SHA256

    4da4cda309e6e284c0c6f123014672cf5b964f528ae86faa0a6e94ce32a4e6e2

  • SHA512

    a126ce0ed398d8a811d4f77f9d724f64a2df03d1d06a4bedf5cc20492601ae3940f24aa83fdaeb91a474313632acf90119edaff8744fde35ebd9de02a824616b

  • SSDEEP

    24576:I9OkMi02D3p9Yum0L52i+/FmpN3zWL0J8lwrv:kOVSLp9U0Ujwj3vB

Score
10/10

Malware Config

Targets

    • Target

      EXCheker.exe

    • Size

      1.5MB

    • MD5

      ff32bd586d0af58e9493e280aecede6f

    • SHA1

      4a2eb75e64d77efec9d1433fe64da22a0aa9c5ae

    • SHA256

      2a30bba0c5a51d46169706ad3caf8a6ef1406348694e60b6abde03284a9fbf09

    • SHA512

      163ea230987fe587798810c20837370bd6e23cba296f83089ecd1780937dea558fa1c843d696ea0b5d44bea355a60b2f58da6784b41d9540b19f82e6b4a7819f

    • SSDEEP

      24576:U2G/nvxW3Ww0tPVFbA5U0nK/OTjEnVa/32TogBptlDQhW+qFviHfkjdql8s:UbA30PVCjKtEw+HfBl7

    Score
    10/10
    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks