General

  • Target

    68028fe0a2bb715fe782583e5c29c6ff.exe

  • Size

    2.4MB

  • Sample

    241003-sa1fks1dpr

  • MD5

    68028fe0a2bb715fe782583e5c29c6ff

  • SHA1

    61ed3a7c584675d2f1938c445476488c2e1f3c6e

  • SHA256

    132d4d7f1635c8c0a5bc723e1bee6d2475cce461fefad80f07d74ad1fbd12357

  • SHA512

    0183d5105f4e7a1520e6a64089fa3d0b30465d4814dde00a4a0931de1369855fa53ca01180d60eeeb6a3b631a0716d76cf86ce56a2fc0d95d5a4ff93fe9d015c

  • SSDEEP

    49152:pbA3lGpDJJ41lzRMvw+u5Z0CKevJcUlMhnnjMsUHiHjsyB:pbRnJ41livwjgFUehnj1HHB

Malware Config

Targets

    • Target

      68028fe0a2bb715fe782583e5c29c6ff.exe

    • Size

      2.4MB

    • MD5

      68028fe0a2bb715fe782583e5c29c6ff

    • SHA1

      61ed3a7c584675d2f1938c445476488c2e1f3c6e

    • SHA256

      132d4d7f1635c8c0a5bc723e1bee6d2475cce461fefad80f07d74ad1fbd12357

    • SHA512

      0183d5105f4e7a1520e6a64089fa3d0b30465d4814dde00a4a0931de1369855fa53ca01180d60eeeb6a3b631a0716d76cf86ce56a2fc0d95d5a4ff93fe9d015c

    • SSDEEP

      49152:pbA3lGpDJJ41lzRMvw+u5Z0CKevJcUlMhnnjMsUHiHjsyB:pbRnJ41livwjgFUehnj1HHB

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks