General

  • Target

    E3A480A53D8B2C398A7642E1F4E84785.exe

  • Size

    12.9MB

  • Sample

    241030-nqkb3s1mgz

  • MD5

    e3a480a53d8b2c398a7642e1f4e84785

  • SHA1

    7f8fa5e3dc9be9055f9202213be33460a1af1e09

  • SHA256

    11e550c201ee70fb01902b1e84b19a133c0861e170c764db9d8755be67fdcde2

  • SHA512

    b3fce5ac73b75fb70d6c798517426ee614b72f24236baf07752f1289a8ce78d74c3c1ec5168f1d8fbcaa5b7de072ef3175f895ac1a49379f716209df49d103e8

  • SSDEEP

    393216:oJlQ1evI2bs6Yuno3rkJ3InoKasOnHDJaM8t:obQpgssCKInwjJaMu

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1266665187293794356/BgUJDQi9QXAA0avjRcAiy-uTUWdbVUSk8SQjon--JNjDxPP5bEhE6DLfJFghJ_KLSRhA

Targets

    • Target

      E3A480A53D8B2C398A7642E1F4E84785.exe

    • Size

      12.9MB

    • MD5

      e3a480a53d8b2c398a7642e1f4e84785

    • SHA1

      7f8fa5e3dc9be9055f9202213be33460a1af1e09

    • SHA256

      11e550c201ee70fb01902b1e84b19a133c0861e170c764db9d8755be67fdcde2

    • SHA512

      b3fce5ac73b75fb70d6c798517426ee614b72f24236baf07752f1289a8ce78d74c3c1ec5168f1d8fbcaa5b7de072ef3175f895ac1a49379f716209df49d103e8

    • SSDEEP

      393216:oJlQ1evI2bs6Yuno3rkJ3InoKasOnHDJaM8t:obQpgssCKInwjJaMu

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Detect Umbral payload

    • Modifies WinLogon for persistence

    • Modifies Windows Defender Real-time Protection settings

    • Modifies security service

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Umbral family

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies Security services

      Modifies the startup behavior of a security service.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks