General

  • Target

    F946CEB3DFBC4802323F045E77B9FC63.exe

  • Size

    1.3MB

  • Sample

    240721-eym89sthnb

  • MD5

    f946ceb3dfbc4802323f045e77b9fc63

  • SHA1

    04beac37360d30c5ad933f82f80bfd41ae294cc4

  • SHA256

    682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a

  • SHA512

    7ad0db10f788d63d44a85981ccd9cf7c5acaadad66d1fd4c34554eb77bd1582e49549c917eb39e0c17e7b55b2fc0e262c059e1d85c188f1a3649879368a834e3

  • SSDEEP

    24576:qwwpL4DsvfsODQY2mq7yTK32HbzpEOlM7RJFolBjvmPln0Ep9GKc6NC1t:qw8LnsvQKMzpEOlM7RJqlhgq8rC1

Malware Config

Targets

    • Target

      F946CEB3DFBC4802323F045E77B9FC63.exe

    • Size

      1.3MB

    • MD5

      f946ceb3dfbc4802323f045e77b9fc63

    • SHA1

      04beac37360d30c5ad933f82f80bfd41ae294cc4

    • SHA256

      682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a

    • SHA512

      7ad0db10f788d63d44a85981ccd9cf7c5acaadad66d1fd4c34554eb77bd1582e49549c917eb39e0c17e7b55b2fc0e262c059e1d85c188f1a3649879368a834e3

    • SSDEEP

      24576:qwwpL4DsvfsODQY2mq7yTK32HbzpEOlM7RJFolBjvmPln0Ep9GKc6NC1t:qw8LnsvQKMzpEOlM7RJqlhgq8rC1

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks