General

  • Target

    LunarClient.exe

  • Size

    1.7MB

  • Sample

    240623-spk97szbll

  • MD5

    9ed416dd7d2703d7025b67964ceaa618

  • SHA1

    a8cd8d8dde51b3df56967635b63e7190debe38d5

  • SHA256

    88436e50ecbe11ba2bc79af72ab1e5d774e2217feee9e10f077216a5d530ab7c

  • SHA512

    02736235fad8e993c8c5a047bdab5af817c0efd81c39a13fecdca10df25f188503404ddbadfee93bbe1442acd7d63801f379bdd4a6143e75189dde5375dd7c5c

  • SSDEEP

    24576:V2G/nvxW3WUmnzqXrUG+0EndmO35gHz/EXrcpfU00H6N3RZYcq48yP2Ycl1uEzL:VbA3G+Xu3ndxKccpfUb620P8lF

Malware Config

Targets

    • Target

      LunarClient.exe

    • Size

      1.7MB

    • MD5

      9ed416dd7d2703d7025b67964ceaa618

    • SHA1

      a8cd8d8dde51b3df56967635b63e7190debe38d5

    • SHA256

      88436e50ecbe11ba2bc79af72ab1e5d774e2217feee9e10f077216a5d530ab7c

    • SHA512

      02736235fad8e993c8c5a047bdab5af817c0efd81c39a13fecdca10df25f188503404ddbadfee93bbe1442acd7d63801f379bdd4a6143e75189dde5375dd7c5c

    • SSDEEP

      24576:V2G/nvxW3WUmnzqXrUG+0EndmO35gHz/EXrcpfU00H6N3RZYcq48yP2Ycl1uEzL:VbA3G+Xu3ndxKccpfUb620P8lF

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks