General

  • Target

    1b658da9c8d0a06a1e260d7307d73e0e76b8bd8d31ef4b8996c1b7b7a930c8ec

  • Size

    1.4MB

  • Sample

    241003-yrz42atfnq

  • MD5

    df365761d04b057e79cb34dba2948779

  • SHA1

    ef39221e6bfb8f9a1fea95045286b479b858d2f0

  • SHA256

    1b658da9c8d0a06a1e260d7307d73e0e76b8bd8d31ef4b8996c1b7b7a930c8ec

  • SHA512

    48a3ce4223dd4ceaee82738f1834f0f18c6b4e0b12a8a2a71b8fb06e9bf5a750e152fcca165a250357c884ad44dd85f78e6e34bf5407877a4ece78f07e90216b

  • SSDEEP

    24576:qIpz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:qQzulw0bg/qAymlV

Malware Config

Targets

    • Target

      1b658da9c8d0a06a1e260d7307d73e0e76b8bd8d31ef4b8996c1b7b7a930c8ec

    • Size

      1.4MB

    • MD5

      df365761d04b057e79cb34dba2948779

    • SHA1

      ef39221e6bfb8f9a1fea95045286b479b858d2f0

    • SHA256

      1b658da9c8d0a06a1e260d7307d73e0e76b8bd8d31ef4b8996c1b7b7a930c8ec

    • SHA512

      48a3ce4223dd4ceaee82738f1834f0f18c6b4e0b12a8a2a71b8fb06e9bf5a750e152fcca165a250357c884ad44dd85f78e6e34bf5407877a4ece78f07e90216b

    • SSDEEP

      24576:qIpz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:qQzulw0bg/qAymlV

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks