General

  • Target

    ОКУРАТНО.exe

  • Size

    2.0MB

  • Sample

    240722-3t8leawdlk

  • MD5

    843aaea3f9fcd5d05ff2561ee611880c

  • SHA1

    e8cd96e2933414c3d70d9db4a7014835cfa1bd10

  • SHA256

    94bd0998c7505445e3f74a8d902e4e768adc6304e0135075d0d856eae7c37ab1

  • SHA512

    cbed538d4521b58310700c6b439be87233c2f7035ac9e6edbdb177fad665fa379b8a8d0532ad2a68c4b554108d205a1209c02074b47a9ab16683b68be7f44f5d

  • SSDEEP

    24576:52G/nvxW3WHj0PhetvJ2pv6zvifbzgs4dGnO1F4R8rDX6ZrnHkBseAa+KMYoI:5bA3ZUo6buPaARUDInHkBHEY

Malware Config

Targets

    • Target

      ОКУРАТНО.exe

    • Size

      2.0MB

    • MD5

      843aaea3f9fcd5d05ff2561ee611880c

    • SHA1

      e8cd96e2933414c3d70d9db4a7014835cfa1bd10

    • SHA256

      94bd0998c7505445e3f74a8d902e4e768adc6304e0135075d0d856eae7c37ab1

    • SHA512

      cbed538d4521b58310700c6b439be87233c2f7035ac9e6edbdb177fad665fa379b8a8d0532ad2a68c4b554108d205a1209c02074b47a9ab16683b68be7f44f5d

    • SSDEEP

      24576:52G/nvxW3WHj0PhetvJ2pv6zvifbzgs4dGnO1F4R8rDX6ZrnHkBseAa+KMYoI:5bA3ZUo6buPaARUDInHkBHEY

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks