General

  • Target

    51ffa30e0bb9d0cfbfaf1196013fa002.exe

  • Size

    2.5MB

  • Sample

    241004-masg3ssfpb

  • MD5

    51ffa30e0bb9d0cfbfaf1196013fa002

  • SHA1

    4345b5fb8073eba34c3c3b7c99cd953f334a8b8e

  • SHA256

    fab97138b63949bba074d0510d3707f2ccf96632688086a36d1976dadb973fd1

  • SHA512

    e3dd2ff17e67ff79fc1869e92435db914ef576168798a62790547bdeea6f1daca9a4cc63aee1fe236620db5a845d619c6fd29f00bd187c88250fcb393b567d98

  • SSDEEP

    49152:UbA30nbz7noruNu06uhaPSKhsToOVc6YlGa4SwvPrn0Gtkjz/+fM:Ub7bforB0UsoOVileSwvPrnLkjz/+k

Malware Config

Targets

    • Target

      51ffa30e0bb9d0cfbfaf1196013fa002.exe

    • Size

      2.5MB

    • MD5

      51ffa30e0bb9d0cfbfaf1196013fa002

    • SHA1

      4345b5fb8073eba34c3c3b7c99cd953f334a8b8e

    • SHA256

      fab97138b63949bba074d0510d3707f2ccf96632688086a36d1976dadb973fd1

    • SHA512

      e3dd2ff17e67ff79fc1869e92435db914ef576168798a62790547bdeea6f1daca9a4cc63aee1fe236620db5a845d619c6fd29f00bd187c88250fcb393b567d98

    • SSDEEP

      49152:UbA30nbz7noruNu06uhaPSKhsToOVc6YlGa4SwvPrn0Gtkjz/+fM:Ub7bforB0UsoOVileSwvPrnLkjz/+k

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks