General

  • Target

    ADA563883BF3A762A5610A0DECE18B0D.exe

  • Size

    1.1MB

  • Sample

    240728-fx5btstbpd

  • MD5

    ada563883bf3a762a5610a0dece18b0d

  • SHA1

    666d86ca4ce9920d950ae73f0bf031f84078d78c

  • SHA256

    94f11d5cb25d38c9a50a91dbdc481de91fbc7dd6f647d7638d84138ed0d24a21

  • SHA512

    5843db2c8fafd2ce75484fab2efc7ba0d7c389a8ea9c0c1738c784e401db0674f83651e7ff786be9897bbe52c485d1123163fd74c4b27df3bb3b82df47d52511

  • SSDEEP

    24576:U2G/nvxW3Ww0twiDWtUi+zDIvECjbuqj2aksQ7a4:UbA30vWozp84B

Malware Config

Targets

    • Target

      ADA563883BF3A762A5610A0DECE18B0D.exe

    • Size

      1.1MB

    • MD5

      ada563883bf3a762a5610a0dece18b0d

    • SHA1

      666d86ca4ce9920d950ae73f0bf031f84078d78c

    • SHA256

      94f11d5cb25d38c9a50a91dbdc481de91fbc7dd6f647d7638d84138ed0d24a21

    • SHA512

      5843db2c8fafd2ce75484fab2efc7ba0d7c389a8ea9c0c1738c784e401db0674f83651e7ff786be9897bbe52c485d1123163fd74c4b27df3bb3b82df47d52511

    • SSDEEP

      24576:U2G/nvxW3Ww0twiDWtUi+zDIvECjbuqj2aksQ7a4:UbA30vWozp84B

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks