General

  • Target

    update.exe

  • Size

    3.6MB

  • Sample

    240622-zshf2stgjc

  • MD5

    a6246d26b25397c8423b37072a5324af

  • SHA1

    6af1face2a423211499e06a61c1f124c43cc9c75

  • SHA256

    a573fd4278d7d2368bbc067fab817358adbdc9150518fc5dbd9c29bbae3b5283

  • SHA512

    1bb9b4a32a94d4eadec1f11eb2cd4aba4df119012aaa157c0e3e4733c915015bb983f48ba85b311e5fb7b75bcad3df0264d9b2a31ef85159b9256d771cf0fa40

  • SSDEEP

    49152:UbA30Zm7ASeO5KSAktY85Fm4LpZVfMz/ha0E3b5geMsoC8nUV6J8+KxpmctXIw:UbA7ASXKPKBfihanL2VX4cJ8+KxZd

Malware Config

Targets

    • Target

      update.exe

    • Size

      3.6MB

    • MD5

      a6246d26b25397c8423b37072a5324af

    • SHA1

      6af1face2a423211499e06a61c1f124c43cc9c75

    • SHA256

      a573fd4278d7d2368bbc067fab817358adbdc9150518fc5dbd9c29bbae3b5283

    • SHA512

      1bb9b4a32a94d4eadec1f11eb2cd4aba4df119012aaa157c0e3e4733c915015bb983f48ba85b311e5fb7b75bcad3df0264d9b2a31ef85159b9256d771cf0fa40

    • SSDEEP

      49152:UbA30Zm7ASeO5KSAktY85Fm4LpZVfMz/ha0E3b5geMsoC8nUV6J8+KxpmctXIw:UbA7ASXKPKBfihanL2VX4cJ8+KxZd

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks