General

  • Target

    start.bat

  • Size

    3.1MB

  • Sample

    240723-s17mkszfme

  • MD5

    faad04bd754af1b4cf0dac950ced5183

  • SHA1

    a057726d0dbc0bf945dba25b64bd6219bdf524cf

  • SHA256

    7288a50308189b135503011afbd1a1901c5fc12b2c0112a04669b77e357652f0

  • SHA512

    2f01c46d1b2e12d74d4b28d05d876db86f6698d5bf650d0307df9b4f86ad50d393e3f4cdb3f340207fcf93b219a480664e862a3614816e4433adee92f2fa4437

  • SSDEEP

    49152:ubA3j/NccgP+LV+bHQ8LivEm9IkmJ571CPw/e18gbyP0rnWaF:ubUKcHsXivBIkmf1JS8iznWaF

Malware Config

Targets

    • Target

      start.bat

    • Size

      3.1MB

    • MD5

      faad04bd754af1b4cf0dac950ced5183

    • SHA1

      a057726d0dbc0bf945dba25b64bd6219bdf524cf

    • SHA256

      7288a50308189b135503011afbd1a1901c5fc12b2c0112a04669b77e357652f0

    • SHA512

      2f01c46d1b2e12d74d4b28d05d876db86f6698d5bf650d0307df9b4f86ad50d393e3f4cdb3f340207fcf93b219a480664e862a3614816e4433adee92f2fa4437

    • SSDEEP

      49152:ubA3j/NccgP+LV+bHQ8LivEm9IkmJ571CPw/e18gbyP0rnWaF:ubUKcHsXivBIkmf1JS8iznWaF

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks