General

  • Target

    285bc42ebd4be5f3acdae7b575af64bf.exe

  • Size

    1.3MB

  • Sample

    240623-ehcgtsygrc

  • MD5

    285bc42ebd4be5f3acdae7b575af64bf

  • SHA1

    64a3d370b20bea1fc84130caaf3453c388cc0def

  • SHA256

    90b1c491ebd369f524e0343718ac18651ffee650df5b887123a53430a55f7baf

  • SHA512

    edce9a2aab3214c23ca0d82051b24128a531e8b80e8df005b85b4e1f3f51e6588380b5459264329cf3cf13d8919bc75424f6a272a0e18ae9c4664a9719d1d947

  • SSDEEP

    24576:NX2fnpyce4ZH1mT/MaKQoTSBNHd3ZDZgBiCUsDLsNRvya:NX2ZejTUaKZ+BNH/DZgBENRv

Malware Config

Targets

    • Target

      285bc42ebd4be5f3acdae7b575af64bf.exe

    • Size

      1.3MB

    • MD5

      285bc42ebd4be5f3acdae7b575af64bf

    • SHA1

      64a3d370b20bea1fc84130caaf3453c388cc0def

    • SHA256

      90b1c491ebd369f524e0343718ac18651ffee650df5b887123a53430a55f7baf

    • SHA512

      edce9a2aab3214c23ca0d82051b24128a531e8b80e8df005b85b4e1f3f51e6588380b5459264329cf3cf13d8919bc75424f6a272a0e18ae9c4664a9719d1d947

    • SSDEEP

      24576:NX2fnpyce4ZH1mT/MaKQoTSBNHd3ZDZgBiCUsDLsNRvya:NX2ZejTUaKZ+BNH/DZgBENRv

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks