Resubmissions

22-07-2024 19:12

240722-xwylbstbjc 10

22-07-2024 19:02

240722-xpxqfssfle 10

General

  • Target

    FunCheker.zip

  • Size

    1.9MB

  • Sample

    240722-xwylbstbjc

  • MD5

    24205851c5a1e2bfefee855b74062623

  • SHA1

    38b96b174bba5662262bc8243e1a10492b4b6191

  • SHA256

    0cf56a65f8c8d0147fae630441e029d4c0c739ddf1198e8f4eedb1778fe16ed9

  • SHA512

    f211845b870344066124bce8c60708133a297387ae76afa1c48878244daaadafa6538117201cfe713aba311ce46d214a6260a5da736f62aed3d025e4fe775863

  • SSDEEP

    24576:8+KmfBSVq3qeyJ+rHRku1J4RNe5+fyrk5wByKZi6SNbqYi7ZvuOW51zwQY89dZVy:Qoz3qeyJ+rHRX1J2vYB9Z+bqSP510QY3

Malware Config

Targets

    • Target

      FunCheker.exe

    • Size

      1.9MB

    • MD5

      a69f81ab8922f56e786c95000e4ea238

    • SHA1

      eec04e5776a155f4445260b46f8fa3b139ccedef

    • SHA256

      c36b87352873121329f10440ce883510be4c7d829d6afe7ee28664b79cddfd8d

    • SHA512

      de9a791be937925f0ab9d665e6282237f78b4b14f11e539bbcb9dd1ee95b0421a00ab841adb97ed3f41d3d92d94a569728edb486940afb690114bf825a42aeab

    • SSDEEP

      49152:mIduhWrW/Si9FPOcS/up3M4vsEVXxQ4mxS5WDK:BuMr6zxSmp8Bi6I

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies Windows Defender Real-time Protection settings

    • Modifies security service

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks