General

  • Target

    Ref.exe

  • Size

    1.8MB

  • Sample

    240622-ylbjgswfnl

  • MD5

    fa160d309b396d01cbdb477716f76c32

  • SHA1

    a5dac93650849cdcb22704b0994bff42d899c4a6

  • SHA256

    96faf0c77d1f0a40f95a41625eede49eefcf097e85d51e85d81285708fd748ee

  • SHA512

    c74f8b76d05a1f82a268847a67e209319daa2da1d3a605506c427781081032071ff22aa44ffa9dc933a00e3add40a74df65bbc0c9e32abe432fa0dc798f9a5d3

  • SSDEEP

    49152:UbA301UISJDFkeh8K6028WbYSGMEMc2jsI9ImlW:UbhUISJDFX60tWkSFcc9IN

Malware Config

Targets

    • Target

      Ref.exe

    • Size

      1.8MB

    • MD5

      fa160d309b396d01cbdb477716f76c32

    • SHA1

      a5dac93650849cdcb22704b0994bff42d899c4a6

    • SHA256

      96faf0c77d1f0a40f95a41625eede49eefcf097e85d51e85d81285708fd748ee

    • SHA512

      c74f8b76d05a1f82a268847a67e209319daa2da1d3a605506c427781081032071ff22aa44ffa9dc933a00e3add40a74df65bbc0c9e32abe432fa0dc798f9a5d3

    • SSDEEP

      49152:UbA301UISJDFkeh8K6028WbYSGMEMc2jsI9ImlW:UbhUISJDFX60tWkSFcc9IN

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Enterprise v15

Tasks