General

  • Target

    Dox_tool.exe

  • Size

    1.7MB

  • Sample

    240721-vn5zbsxhpj

  • MD5

    276b2bfee53d4a1bd9b6ea4d2f1b7dda

  • SHA1

    675296357dee37115c193e31fac2de25964f5270

  • SHA256

    d9f6c68201892bafc05114797bcfe7d38d14e0d33604fa2b987cd9fb10b0606f

  • SHA512

    58f68ce2fa13fd24bc9d93439560d55fc1121eb2ed949f4b9cbcf6aaaf9363ed55803f1a3714c1a171c2b9c7311aae23867624ea8e0987f3108f0a14199324c3

  • SSDEEP

    24576:U2G/nvxW3Ww0tlRnL691WiZw7xxf2sOQY6/8YHz4m5LG+sn501TW4l/KXFUO9RZQ:UbA30lBL6e7Xjc4euy4l/KXFU6Ih9

Malware Config

Targets

    • Target

      Dox_tool.exe

    • Size

      1.7MB

    • MD5

      276b2bfee53d4a1bd9b6ea4d2f1b7dda

    • SHA1

      675296357dee37115c193e31fac2de25964f5270

    • SHA256

      d9f6c68201892bafc05114797bcfe7d38d14e0d33604fa2b987cd9fb10b0606f

    • SHA512

      58f68ce2fa13fd24bc9d93439560d55fc1121eb2ed949f4b9cbcf6aaaf9363ed55803f1a3714c1a171c2b9c7311aae23867624ea8e0987f3108f0a14199324c3

    • SSDEEP

      24576:U2G/nvxW3Ww0tlRnL691WiZw7xxf2sOQY6/8YHz4m5LG+sn501TW4l/KXFUO9RZQ:UbA30lBL6e7Xjc4euy4l/KXFU6Ih9

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks