General

  • Target

    299ca6c79cca21d4e4d6204d3c650d10N.exe

  • Size

    1.8MB

  • Sample

    240724-aw5y3s1clf

  • MD5

    299ca6c79cca21d4e4d6204d3c650d10

  • SHA1

    a7db4c75ad2025257a62964397fe231436b07d2e

  • SHA256

    23f8f5fa14be58995db500b8506fde23f21f469a76912178b7934c354b3ce712

  • SHA512

    af85c0db6cd789d0a5d299d2abcce194703214f52895de7c6751c7a6889e6ed7b4d0cbf1d449253e8ef74cdde9a0a1f91fba6d12319bc1c96ccbd2e26482de75

  • SSDEEP

    24576:qCtiMhME2Tw3zTIsaEO+5M4vZZk+70IT0AWBGpfmoEu562TEsRdrKgwgJlD02ioK:1hmQzW+j+40IIAWGrEuU2TLdrKCJlIS

Malware Config

Targets

    • Target

      299ca6c79cca21d4e4d6204d3c650d10N.exe

    • Size

      1.8MB

    • MD5

      299ca6c79cca21d4e4d6204d3c650d10

    • SHA1

      a7db4c75ad2025257a62964397fe231436b07d2e

    • SHA256

      23f8f5fa14be58995db500b8506fde23f21f469a76912178b7934c354b3ce712

    • SHA512

      af85c0db6cd789d0a5d299d2abcce194703214f52895de7c6751c7a6889e6ed7b4d0cbf1d449253e8ef74cdde9a0a1f91fba6d12319bc1c96ccbd2e26482de75

    • SSDEEP

      24576:qCtiMhME2Tw3zTIsaEO+5M4vZZk+70IT0AWBGpfmoEu562TEsRdrKgwgJlD02ioK:1hmQzW+j+40IIAWGrEuU2TLdrKCJlIS

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks