General

  • Target

    CL_Installer.exe

  • Size

    2.0MB

  • Sample

    240622-n7vjdaxcng

  • MD5

    0b57729518305b0dfe9636beebc0dde1

  • SHA1

    59cd771cb6a02aa02f1eb7fd2a65d5b9bf7f228c

  • SHA256

    3592f60e97f29ab2d4e60ed3604d154c4455f59c318723aa0d25dd6a5c255f66

  • SHA512

    59aec3bbb1a233eb42553e33d8dd476d9edee02c27fca9196b8e9bb75d6a8f3429ec93aab6211b36058e53dc85506317f0f4f0c17a40b9f149293526f86c59d1

  • SSDEEP

    49152:+bA3jSvHAAuLeeh9nMW+LktXOAP2s0I0ykq:+b1YBMDk7H0FyL

Malware Config

Targets

    • Target

      CL_Installer.exe

    • Size

      2.0MB

    • MD5

      0b57729518305b0dfe9636beebc0dde1

    • SHA1

      59cd771cb6a02aa02f1eb7fd2a65d5b9bf7f228c

    • SHA256

      3592f60e97f29ab2d4e60ed3604d154c4455f59c318723aa0d25dd6a5c255f66

    • SHA512

      59aec3bbb1a233eb42553e33d8dd476d9edee02c27fca9196b8e9bb75d6a8f3429ec93aab6211b36058e53dc85506317f0f4f0c17a40b9f149293526f86c59d1

    • SSDEEP

      49152:+bA3jSvHAAuLeeh9nMW+LktXOAP2s0I0ykq:+b1YBMDk7H0FyL

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks