General

  • Target

    8FE4D765052F33EE206BABD50ECEBFF4.exe

  • Size

    1.8MB

  • Sample

    241104-1qgbmsxhmd

  • MD5

    8fe4d765052f33ee206babd50ecebff4

  • SHA1

    626ed36cc72ed374334c868a5d2471cd1d70e9ef

  • SHA256

    9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462

  • SHA512

    5a41dbc6ead37caa5de7c3110378fc1357954a6b02b50eea6d82ff2685962536090e2e6e75a83ab321aa14a04a50f31c92290ace854bd45bc4c5913a1e1a7210

  • SSDEEP

    49152:IBJS5y9ltNK+s0am17m5uSTRhNCYX1xoUQ/Ui5zbf2qmOK:ywGls0amCyN5zbf7jK

Malware Config

Targets

    • Target

      8FE4D765052F33EE206BABD50ECEBFF4.exe

    • Size

      1.8MB

    • MD5

      8fe4d765052f33ee206babd50ecebff4

    • SHA1

      626ed36cc72ed374334c868a5d2471cd1d70e9ef

    • SHA256

      9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462

    • SHA512

      5a41dbc6ead37caa5de7c3110378fc1357954a6b02b50eea6d82ff2685962536090e2e6e75a83ab321aa14a04a50f31c92290ace854bd45bc4c5913a1e1a7210

    • SSDEEP

      49152:IBJS5y9ltNK+s0am17m5uSTRhNCYX1xoUQ/Ui5zbf2qmOK:ywGls0amCyN5zbf7jK

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks