General

  • Target

    e2090baad30a864c76047b4edaa0950c535e53c677ce97cf6c9bc36da041dcac.exe

  • Size

    1.6MB

  • Sample

    241003-cp839szbjj

  • MD5

    3272fa97b8c3aacd7b7575bda19a2372

  • SHA1

    50880cea6090ba0f620bd02ced40a4c555502cec

  • SHA256

    e2090baad30a864c76047b4edaa0950c535e53c677ce97cf6c9bc36da041dcac

  • SHA512

    a8bfed6757f054578cde7a5307c160619400b240c49be88f7ca6cb71a159ab7ac43d410a490b0f0f23a24c4cc30bce04f72eb29bf9a649c896d19fc59f4c7ba8

  • SSDEEP

    24576:U2G/nvxW3Ww0tClWzUNfKMUyQ5phrRF6h5tlkUKFH9gY00mE8QALtlFTc9KuQy:UbA30jUi5bUOH9I0mj0L

Malware Config

Targets

    • Target

      e2090baad30a864c76047b4edaa0950c535e53c677ce97cf6c9bc36da041dcac.exe

    • Size

      1.6MB

    • MD5

      3272fa97b8c3aacd7b7575bda19a2372

    • SHA1

      50880cea6090ba0f620bd02ced40a4c555502cec

    • SHA256

      e2090baad30a864c76047b4edaa0950c535e53c677ce97cf6c9bc36da041dcac

    • SHA512

      a8bfed6757f054578cde7a5307c160619400b240c49be88f7ca6cb71a159ab7ac43d410a490b0f0f23a24c4cc30bce04f72eb29bf9a649c896d19fc59f4c7ba8

    • SSDEEP

      24576:U2G/nvxW3Ww0tClWzUNfKMUyQ5phrRF6h5tlkUKFH9gY00mE8QALtlFTc9KuQy:UbA30jUi5bUOH9I0mj0L

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks