General

  • Target

    AtomClient.exe

  • Size

    2.3MB

  • Sample

    240715-ks8wns1crg

  • MD5

    a9dd17ba223ce69553957c20f4c9ca74

  • SHA1

    61d11d0b938a90caf7e5f26fc9bdbe22b036f189

  • SHA256

    c521271b3c3655b0e7f64da3c8e6410fd83b74c896d7f61f2e48fc68ec821b1c

  • SHA512

    c1f4075a06be5ad506a0ec16d35db99f6fb648cd8569bf791eb56e7fec5fb3b08e3c163856f9b6b473e0107a5b7afb305a3be8fa72a7c4513a0932af935b5d20

  • SSDEEP

    24576:h2G/nvxW3WX01Ox/1zDxWnK/5RYaILeborzV3Cs6KJuwmDK8VOIvLy/G9iUUfKDa:hbA3xo3mKnk/VVg/K86G9gfu+0by

Malware Config

Targets

    • Target

      AtomClient.exe

    • Size

      2.3MB

    • MD5

      a9dd17ba223ce69553957c20f4c9ca74

    • SHA1

      61d11d0b938a90caf7e5f26fc9bdbe22b036f189

    • SHA256

      c521271b3c3655b0e7f64da3c8e6410fd83b74c896d7f61f2e48fc68ec821b1c

    • SHA512

      c1f4075a06be5ad506a0ec16d35db99f6fb648cd8569bf791eb56e7fec5fb3b08e3c163856f9b6b473e0107a5b7afb305a3be8fa72a7c4513a0932af935b5d20

    • SSDEEP

      24576:h2G/nvxW3WX01Ox/1zDxWnK/5RYaILeborzV3Cs6KJuwmDK8VOIvLy/G9iUUfKDa:hbA3xo3mKnk/VVg/K86G9gfu+0by

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks