General

  • Target

    BBD6FFDB33259778F08704696A04891F.exe

  • Size

    12.7MB

  • Sample

    241030-jn7x5szajl

  • MD5

    bbd6ffdb33259778f08704696a04891f

  • SHA1

    0fd836bb4bfc035ff35ebe0fb47e4693cec9e8ba

  • SHA256

    841eb644979b3c640761762645c9cd26f9bb46e558eaeb7bf0c2a79e761878f4

  • SHA512

    1b66f11b3a3dea1e6a8f4f7ee493437a41e30704d1c80048efd245184a447fde6abf06fe45af0663a72b30b657a7297554df8c3af7b36ae2e0df21a5031a34e0

  • SSDEEP

    393216:2JlQ1evI2bs6Yuno3rkJ3InoKasOnHDJaM8X:2bQpgssCKInwjJaMc

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1266665187293794356/BgUJDQi9QXAA0avjRcAiy-uTUWdbVUSk8SQjon--JNjDxPP5bEhE6DLfJFghJ_KLSRhA

Targets

    • Target

      BBD6FFDB33259778F08704696A04891F.exe

    • Size

      12.7MB

    • MD5

      bbd6ffdb33259778f08704696a04891f

    • SHA1

      0fd836bb4bfc035ff35ebe0fb47e4693cec9e8ba

    • SHA256

      841eb644979b3c640761762645c9cd26f9bb46e558eaeb7bf0c2a79e761878f4

    • SHA512

      1b66f11b3a3dea1e6a8f4f7ee493437a41e30704d1c80048efd245184a447fde6abf06fe45af0663a72b30b657a7297554df8c3af7b36ae2e0df21a5031a34e0

    • SSDEEP

      393216:2JlQ1evI2bs6Yuno3rkJ3InoKasOnHDJaM8X:2bQpgssCKInwjJaMc

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Detect Umbral payload

    • Modifies WinLogon for persistence

    • Modifies Windows Defender Real-time Protection settings

    • Modifies security service

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Umbral family

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies Security services

      Modifies the startup behavior of a security service.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks