General

  • Target

    95e7c0817701f4613ef02985fa20d4b308472937f3999427aaa06ac5cc64e633N

  • Size

    682KB

  • Sample

    241004-e4ejbaycrd

  • MD5

    fe89da7dba35c1395e62db82d6db5440

  • SHA1

    92d1dfedf1e263f9bc5e0afc58dd6217de2f14a6

  • SHA256

    95e7c0817701f4613ef02985fa20d4b308472937f3999427aaa06ac5cc64e633

  • SHA512

    3630887445976d5666ddf8e577e328e63ac3e204dd29453666135a8a127af28e2d335ae575d502530d1c6a55864844ae6e03210dec4d36128725a904669d8e31

  • SSDEEP

    12288:hqnO3mwJNoGFAgHCRvp1i/fjqJRYFInDrX/xTU3JgXDV6blx1wgtra7B:h+O3mwJnCRvEMxnDVSwgY

Malware Config

Targets

    • Target

      95e7c0817701f4613ef02985fa20d4b308472937f3999427aaa06ac5cc64e633N

    • Size

      682KB

    • MD5

      fe89da7dba35c1395e62db82d6db5440

    • SHA1

      92d1dfedf1e263f9bc5e0afc58dd6217de2f14a6

    • SHA256

      95e7c0817701f4613ef02985fa20d4b308472937f3999427aaa06ac5cc64e633

    • SHA512

      3630887445976d5666ddf8e577e328e63ac3e204dd29453666135a8a127af28e2d335ae575d502530d1c6a55864844ae6e03210dec4d36128725a904669d8e31

    • SSDEEP

      12288:hqnO3mwJNoGFAgHCRvp1i/fjqJRYFInDrX/xTU3JgXDV6blx1wgtra7B:h+O3mwJnCRvEMxnDVSwgY

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks