General

  • Target

    f33cb818506699190556413520aea94529eceeb0129e2337b13311bbba3aea00N

  • Size

    1.8MB

  • Sample

    241026-xqbjlsxflb

  • MD5

    a1f7dc028623603fc6679da86c395a50

  • SHA1

    cbdbe7473a73038476616db88de8a97980058c98

  • SHA256

    f33cb818506699190556413520aea94529eceeb0129e2337b13311bbba3aea00

  • SHA512

    ef799ba64fa023301ebfc323ae95694b90d239877c98f0dc3d625c2ace5c759b53df7729f8a8c1bdf25f7784a3221cea9a5518ecb4873a641682b3c8bca8c29f

  • SSDEEP

    24576:Oj2AR3l2oxrLCQicJ1UqS6TvB7WjRRvvkjjFExbw9xs2d5:IJRnYwpjVS0mtU

Malware Config

Targets

    • Target

      f33cb818506699190556413520aea94529eceeb0129e2337b13311bbba3aea00N

    • Size

      1.8MB

    • MD5

      a1f7dc028623603fc6679da86c395a50

    • SHA1

      cbdbe7473a73038476616db88de8a97980058c98

    • SHA256

      f33cb818506699190556413520aea94529eceeb0129e2337b13311bbba3aea00

    • SHA512

      ef799ba64fa023301ebfc323ae95694b90d239877c98f0dc3d625c2ace5c759b53df7729f8a8c1bdf25f7784a3221cea9a5518ecb4873a641682b3c8bca8c29f

    • SSDEEP

      24576:Oj2AR3l2oxrLCQicJ1UqS6TvB7WjRRvvkjjFExbw9xs2d5:IJRnYwpjVS0mtU

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Enterprise v15

Tasks