General

  • Target

    5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe

  • Size

    3.3MB

  • Sample

    240618-vldr3ascqa

  • MD5

    20ba93789eb7001ba9e4842bcc69fe62

  • SHA1

    4f2de529f2094f978d35cfb040cbd6e7c6274f98

  • SHA256

    5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db

  • SHA512

    327f2a7900f9900a6fb6f86f46efb8936b0327142f8e7120cd9d3db7b87b762c2288971b48ffe8fd3ec2e751f492652fb87da8197becf9b30e59b3d9247934b1

  • SSDEEP

    49152:5PVa2oTM2mNcc1txMW/ixmw5d2eca2FBXElIu1KGwuEZ1Lz+6:5P932cd1txhi55Ie72kIu1xw5z+

Malware Config

Targets

    • Target

      5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe

    • Size

      3.3MB

    • MD5

      20ba93789eb7001ba9e4842bcc69fe62

    • SHA1

      4f2de529f2094f978d35cfb040cbd6e7c6274f98

    • SHA256

      5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db

    • SHA512

      327f2a7900f9900a6fb6f86f46efb8936b0327142f8e7120cd9d3db7b87b762c2288971b48ffe8fd3ec2e751f492652fb87da8197becf9b30e59b3d9247934b1

    • SSDEEP

      49152:5PVa2oTM2mNcc1txMW/ixmw5d2eca2FBXElIu1KGwuEZ1Lz+6:5P932cd1txhi55Ie72kIu1xw5z+

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks