General

  • Target

    ROBLOXFARMER.exe

  • Size

    1.9MB

  • Sample

    240722-2np2faseqd

  • MD5

    0cdc894447aa85d4b2c744c6825a2e0e

  • SHA1

    a4fcb12fcfaa38c8656964749962c9cdc2b9d82d

  • SHA256

    d89a9ab35a2173a4ec62cc98d54e2ffbff2f0d985386f98a8e11c5dc905bcb83

  • SHA512

    b8be16d455166089c7463ea876bfc293cbb851a86bb0846427c0ad1e70e1e978531031e04064c1287d1aafebf01da32b605d6039ef1f33dc4a48a49ddca7dedd

  • SSDEEP

    24576:u2G/nvxW3WieCgbyFbFdG74xU/FmYd3y7uQyBOueO9SEU5/UpdnrZ4Ef2w18:ubA3jgCgW+jxy79uz9SEWBCC

Malware Config

Targets

    • Target

      ROBLOXFARMER.exe

    • Size

      1.9MB

    • MD5

      0cdc894447aa85d4b2c744c6825a2e0e

    • SHA1

      a4fcb12fcfaa38c8656964749962c9cdc2b9d82d

    • SHA256

      d89a9ab35a2173a4ec62cc98d54e2ffbff2f0d985386f98a8e11c5dc905bcb83

    • SHA512

      b8be16d455166089c7463ea876bfc293cbb851a86bb0846427c0ad1e70e1e978531031e04064c1287d1aafebf01da32b605d6039ef1f33dc4a48a49ddca7dedd

    • SSDEEP

      24576:u2G/nvxW3WieCgbyFbFdG74xU/FmYd3y7uQyBOueO9SEU5/UpdnrZ4Ef2w18:ubA3jgCgW+jxy79uz9SEWBCC

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks