General

  • Target

    aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe

  • Size

    3.3MB

  • Sample

    240725-fr8r3azgmm

  • MD5

    ebf1db324a7e5a4f9dfc3e9731a8a301

  • SHA1

    6e95daa4f46b8b32320c9b3676119233aa72f21f

  • SHA256

    aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba

  • SHA512

    d9456fd19fef61e1557c089ff97e40b8295029fae5903871cd600370464b2a6c6042855771e15f8991b6a05208c64cf3aa654475cbf074578fc6661c3b65b96e

  • SSDEEP

    49152:o8xhCcpCNPulYCFckZHvEdM1jegx7oOCM1Gn72tESduILWMJd33eRkX2EuFgtDGg:NhrChV+cU/NeBPMY72tRR0EuUG

Malware Config

Targets

    • Target

      aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe

    • Size

      3.3MB

    • MD5

      ebf1db324a7e5a4f9dfc3e9731a8a301

    • SHA1

      6e95daa4f46b8b32320c9b3676119233aa72f21f

    • SHA256

      aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba

    • SHA512

      d9456fd19fef61e1557c089ff97e40b8295029fae5903871cd600370464b2a6c6042855771e15f8991b6a05208c64cf3aa654475cbf074578fc6661c3b65b96e

    • SSDEEP

      49152:o8xhCcpCNPulYCFckZHvEdM1jegx7oOCM1Gn72tESduILWMJd33eRkX2EuFgtDGg:NhrChV+cU/NeBPMY72tRR0EuUG

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks