General

  • Target

    run.exe

  • Size

    287KB

  • Sample

    240622-skl1yasejg

  • MD5

    1b52a52614f765c57f4651a86f22b988

  • SHA1

    c90db9e42c00006ef4676da054b873278fe5e18a

  • SHA256

    9b6072de723067d6276f673da5ccf95ed61302bdf6499287730ae10e8b2265d3

  • SHA512

    748f116a160059f2572e97dc0ddd75ecfdd9378e3fb7bdf5e109070f597f7b9d66cfbda78e1edc70653969dc305a789917d4637ff0fc56ef2b2ab0e64227a662

  • SSDEEP

    6144:IahOcp0yN90QEBPs16z01by14SgIu1fnfR:IiAy90fs16ougR1fZ

Malware Config

Targets

    • Target

      run.exe

    • Size

      287KB

    • MD5

      1b52a52614f765c57f4651a86f22b988

    • SHA1

      c90db9e42c00006ef4676da054b873278fe5e18a

    • SHA256

      9b6072de723067d6276f673da5ccf95ed61302bdf6499287730ae10e8b2265d3

    • SHA512

      748f116a160059f2572e97dc0ddd75ecfdd9378e3fb7bdf5e109070f597f7b9d66cfbda78e1edc70653969dc305a789917d4637ff0fc56ef2b2ab0e64227a662

    • SSDEEP

      6144:IahOcp0yN90QEBPs16z01by14SgIu1fnfR:IiAy90fs16ougR1fZ

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks