General

  • Target

    17642c8384eee7b5c1912c9e7abb87ef.exe

  • Size

    829KB

  • Sample

    240623-ggab7avgrm

  • MD5

    17642c8384eee7b5c1912c9e7abb87ef

  • SHA1

    dd897085ab58092fb9137dd6d86689d5d0fb2016

  • SHA256

    154a047540d3401fb123815cd6c5433bca0761c0064caae3acf02c0073471d05

  • SHA512

    1691d1d6152640ccca1bdc5e1b5b08d550b7be1211f599b9f68fd5c406a300bceeaadd808eb20090ec4d523972c6fd3e29d59fac005f37130e85cff3560ccaef

  • SSDEEP

    12288:eaoVtb+gqbqWJIitrvPh54EI41sdmH7dYkv5CA58:ejLb+gqbuitr3DB0mHymCC8

Score
10/10

Malware Config

Targets

    • Target

      17642c8384eee7b5c1912c9e7abb87ef.exe

    • Size

      829KB

    • MD5

      17642c8384eee7b5c1912c9e7abb87ef

    • SHA1

      dd897085ab58092fb9137dd6d86689d5d0fb2016

    • SHA256

      154a047540d3401fb123815cd6c5433bca0761c0064caae3acf02c0073471d05

    • SHA512

      1691d1d6152640ccca1bdc5e1b5b08d550b7be1211f599b9f68fd5c406a300bceeaadd808eb20090ec4d523972c6fd3e29d59fac005f37130e85cff3560ccaef

    • SSDEEP

      12288:eaoVtb+gqbqWJIitrvPh54EI41sdmH7dYkv5CA58:ejLb+gqbuitr3DB0mHymCC8

    Score
    10/10
    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks