General

  • Target

    не запускай.exe

  • Size

    3.1MB

  • Sample

    240723-zmsd3a1ckd

  • MD5

    8dd764f9b37bfdabf8cc40bdda049699

  • SHA1

    114f79cdf04878cdf92a1db1756d0aedff5a28fb

  • SHA256

    9697116da432e74bd2335a378e1943b8617fa7c10aa0db45026c879c872e1265

  • SHA512

    0c49851c5fff60543a447a781666e7c1157309724d80792607e62ca3e11a1e89eecbb73785323c19dcf137698237e793a6088c7d9a3ad449c971dc56d1085051

  • SSDEEP

    49152:qbA3u9QOoRaSZuxwi5ejmkIIWj9UDAU7x8jUYzVlZegWNAW5egrQt:qbfy/RaUme3Wj9UDAMiVzVl4TyCw

Malware Config

Targets

    • Target

      не запускай.exe

    • Size

      3.1MB

    • MD5

      8dd764f9b37bfdabf8cc40bdda049699

    • SHA1

      114f79cdf04878cdf92a1db1756d0aedff5a28fb

    • SHA256

      9697116da432e74bd2335a378e1943b8617fa7c10aa0db45026c879c872e1265

    • SHA512

      0c49851c5fff60543a447a781666e7c1157309724d80792607e62ca3e11a1e89eecbb73785323c19dcf137698237e793a6088c7d9a3ad449c971dc56d1085051

    • SSDEEP

      49152:qbA3u9QOoRaSZuxwi5ejmkIIWj9UDAU7x8jUYzVlZegWNAW5egrQt:qbfy/RaUme3Wj9UDAMiVzVl4TyCw

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks