General

  • Target

    hui.exe

  • Size

    4.9MB

  • Sample

    240712-xg84hsxhne

  • MD5

    6dd3349a069138120e48d8feb73e73c8

  • SHA1

    bb074e9cbbdb1b927a540512ecd5ca9915471943

  • SHA256

    b043cf42035b5cf2ec0f7082dbddae83f12f75bb471b0fe68e9b13b9aa1b2f5d

  • SHA512

    a0bfccd3852096ff2955dd6e097ee6ce0238f91d3cd236c8d6cd53565c02124dd8d93eb9b28632ba05fa3a0b3d1873856a40388976b752cd839f0ae3026d174b

  • SSDEEP

    98304:nqwoGvOmkHvjEUo9Kei4h01rglxUOknyC63s3wb0otcjBd:nqwJvODvY59k1gQLy23i1c9d

Malware Config

Targets

    • Target

      hui.exe

    • Size

      4.9MB

    • MD5

      6dd3349a069138120e48d8feb73e73c8

    • SHA1

      bb074e9cbbdb1b927a540512ecd5ca9915471943

    • SHA256

      b043cf42035b5cf2ec0f7082dbddae83f12f75bb471b0fe68e9b13b9aa1b2f5d

    • SHA512

      a0bfccd3852096ff2955dd6e097ee6ce0238f91d3cd236c8d6cd53565c02124dd8d93eb9b28632ba05fa3a0b3d1873856a40388976b752cd839f0ae3026d174b

    • SSDEEP

      98304:nqwoGvOmkHvjEUo9Kei4h01rglxUOknyC63s3wb0otcjBd:nqwJvODvY59k1gQLy23i1c9d

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks