General

  • Target

    25228b9b7646e3a44d0c0458b2d9f4dde89cb36ca52f69ae317edad02678678c.exe

  • Size

    2.5MB

  • Sample

    240723-stzy6axaml

  • MD5

    3a7eb05a575ea6c0ebd97a42d6a77e66

  • SHA1

    71e362bd1e833c7192c0f93d219f9727f1c98297

  • SHA256

    25228b9b7646e3a44d0c0458b2d9f4dde89cb36ca52f69ae317edad02678678c

  • SHA512

    0e4e9cc7d86949b349722e3e41d6e1686f8f55d44e98f93ff5f42f05a798c8300be75ff19ea0c369800c2cbc0fb4190a7138cbac5250ea812b11d185100403f6

  • SSDEEP

    49152:dLajZyQosaw6JjUh94mLijLGroai47lLOBTh8YLX/tG6wY0F6SqcCN39XD:cZyQoK2j1mLijicSLeLPeYTNx

Malware Config

Targets

    • Target

      25228b9b7646e3a44d0c0458b2d9f4dde89cb36ca52f69ae317edad02678678c.exe

    • Size

      2.5MB

    • MD5

      3a7eb05a575ea6c0ebd97a42d6a77e66

    • SHA1

      71e362bd1e833c7192c0f93d219f9727f1c98297

    • SHA256

      25228b9b7646e3a44d0c0458b2d9f4dde89cb36ca52f69ae317edad02678678c

    • SHA512

      0e4e9cc7d86949b349722e3e41d6e1686f8f55d44e98f93ff5f42f05a798c8300be75ff19ea0c369800c2cbc0fb4190a7138cbac5250ea812b11d185100403f6

    • SSDEEP

      49152:dLajZyQosaw6JjUh94mLijLGroai47lLOBTh8YLX/tG6wY0F6SqcCN39XD:cZyQoK2j1mLijicSLeLPeYTNx

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks