General

  • Target

    Celestial Crack.zip

  • Size

    18.3MB

  • Sample

    240716-tzhsha1cnq

  • MD5

    3c002d22691e03979237c9b2e59b68fe

  • SHA1

    4eb08de136c65c39ac50cce1eb933f0ebdb32a58

  • SHA256

    3d5c1e8b26ab2596b9109d465b2edaaecea6e19b1a976a102b2a855249d70915

  • SHA512

    b8a40611097d6875e47c76cfa8c8429bf457a6d240f9bc4e4d95a696acfaf87092e9cf29f03131b515c30e5aa03ffe210ae53f788fdcc2906972e963ebeab84f

  • SSDEEP

    393216:7bXvrdREdINeW/FJxcd6CZMczYrjpJViNyfBJNPrTZAHd5s:fBREdIfdG6C9YHNHfB3PROdu

Malware Config

Targets

    • Target

      Celestial Crack.zip

    • Size

      18.3MB

    • MD5

      3c002d22691e03979237c9b2e59b68fe

    • SHA1

      4eb08de136c65c39ac50cce1eb933f0ebdb32a58

    • SHA256

      3d5c1e8b26ab2596b9109d465b2edaaecea6e19b1a976a102b2a855249d70915

    • SHA512

      b8a40611097d6875e47c76cfa8c8429bf457a6d240f9bc4e4d95a696acfaf87092e9cf29f03131b515c30e5aa03ffe210ae53f788fdcc2906972e963ebeab84f

    • SSDEEP

      393216:7bXvrdREdINeW/FJxcd6CZMczYrjpJViNyfBJNPrTZAHd5s:fBREdIfdG6C9YHNHfB3PROdu

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks