General

  • Target

    Desktop.exe

  • Size

    2.8MB

  • Sample

    240619-t2s19atdjb

  • MD5

    0eab9acd08b61cdf615cb068a37721ec

  • SHA1

    abb40ff6143036f6fecf58c1ddcbb0db932d5c56

  • SHA256

    eb02a5967a610b6c1f6c4070426bfae82286404b0c12120c4538f6616046ac82

  • SHA512

    9747726e1e384b82743cfe3e55d3da8b60451b7118b6f1b0e7403920e149e1836833f76367d591a5d31091366655b962919b16d03a9a8f4e65641ea320a96cef

  • SSDEEP

    49152:lOtT5e0aSL6Z1zfbCW2aomgmFSD4HjLgfDFCfX9nViw3DNSV5F+5Q:lOtTU/SL41zfNgmFS8HjasftcwBg4Q

Malware Config

Targets

    • Target

      Desktop.exe

    • Size

      2.8MB

    • MD5

      0eab9acd08b61cdf615cb068a37721ec

    • SHA1

      abb40ff6143036f6fecf58c1ddcbb0db932d5c56

    • SHA256

      eb02a5967a610b6c1f6c4070426bfae82286404b0c12120c4538f6616046ac82

    • SHA512

      9747726e1e384b82743cfe3e55d3da8b60451b7118b6f1b0e7403920e149e1836833f76367d591a5d31091366655b962919b16d03a9a8f4e65641ea320a96cef

    • SSDEEP

      49152:lOtT5e0aSL6Z1zfbCW2aomgmFSD4HjLgfDFCfX9nViw3DNSV5F+5Q:lOtTU/SL41zfNgmFS8HjasftcwBg4Q

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks