General

  • Target

    497ac5eb72b62c3db2d5383bc2823bf38596e00d877ec7e9d572a94830f07a0e.exe

  • Size

    1.4MB

  • Sample

    241003-bref1a1cjd

  • MD5

    3e40d7f0c47407447c1fa9be4ec0f714

  • SHA1

    f8633060aa590db85a70e9d1ae220b220ed03a98

  • SHA256

    497ac5eb72b62c3db2d5383bc2823bf38596e00d877ec7e9d572a94830f07a0e

  • SHA512

    9fc81db6a6ddf93626529223d5ee8a13717fc3069d90eb66fad1ef9a3172b776578e844ead65bf8e6e334bc0ad82910a6844b99ca8643083f2d140d3aae767cf

  • SSDEEP

    24576:6Ipz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:6Qzulw0bg/qAymlV

Malware Config

Targets

    • Target

      497ac5eb72b62c3db2d5383bc2823bf38596e00d877ec7e9d572a94830f07a0e.exe

    • Size

      1.4MB

    • MD5

      3e40d7f0c47407447c1fa9be4ec0f714

    • SHA1

      f8633060aa590db85a70e9d1ae220b220ed03a98

    • SHA256

      497ac5eb72b62c3db2d5383bc2823bf38596e00d877ec7e9d572a94830f07a0e

    • SHA512

      9fc81db6a6ddf93626529223d5ee8a13717fc3069d90eb66fad1ef9a3172b776578e844ead65bf8e6e334bc0ad82910a6844b99ca8643083f2d140d3aae767cf

    • SSDEEP

      24576:6Ipz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:6Qzulw0bg/qAymlV

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks