General

  • Target

    05fc0bdf63407c4bf2aa13262366cec5.exe

  • Size

    624KB

  • Sample

    240722-g9l7fstapm

  • MD5

    05fc0bdf63407c4bf2aa13262366cec5

  • SHA1

    3c25001232633ced8c5dbd159793f5db7b9bd3c8

  • SHA256

    7c00050f9a74c897dc0b917b07898b14150329571584ed3d7928d7c59b974c2b

  • SHA512

    9513fb1767b3f7c480c86e9958df83e30f19f0b487f7e37b844266a968dfe9b4275e4fe3c11118a5ccace381d69e928dab61a32b113095b3a2f3f83bc6a821e4

  • SSDEEP

    12288:aRZ+IoG/n9IQxW3OBsee2X+t4Rb/32N7QqcLCf8VIP9A2oxldxDZt:U2G/nvxW3Ww0t/32NCkC2o5xD7

Malware Config

Targets

    • Target

      05fc0bdf63407c4bf2aa13262366cec5.exe

    • Size

      624KB

    • MD5

      05fc0bdf63407c4bf2aa13262366cec5

    • SHA1

      3c25001232633ced8c5dbd159793f5db7b9bd3c8

    • SHA256

      7c00050f9a74c897dc0b917b07898b14150329571584ed3d7928d7c59b974c2b

    • SHA512

      9513fb1767b3f7c480c86e9958df83e30f19f0b487f7e37b844266a968dfe9b4275e4fe3c11118a5ccace381d69e928dab61a32b113095b3a2f3f83bc6a821e4

    • SSDEEP

      12288:aRZ+IoG/n9IQxW3OBsee2X+t4Rb/32N7QqcLCf8VIP9A2oxldxDZt:U2G/nvxW3Ww0t/32NCkC2o5xD7

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks