General

  • Target

    0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe

  • Size

    1.8MB

  • Sample

    241113-v8nwjsvrhz

  • MD5

    a1b557c65fa59d8f91138e5cd4f0053e

  • SHA1

    94139bac4ae269f6d38f5c7946475855a71c659d

  • SHA256

    0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126

  • SHA512

    bf72078a5cb40f512f3061a13ecaa3f924d70a5a65c2146f3efeca0655c3924f535785698b3db740f4ae1a51ba6685dc4f2afd911d99d3a58eff86f4aa5c18ee

  • SSDEEP

    49152:mhjAJVllHZrhbBruPk+xjSMX4ODTDF8OcFSkMhX:mgVTVXYNX9mOWSkMp

Malware Config

Targets

    • Target

      0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe

    • Size

      1.8MB

    • MD5

      a1b557c65fa59d8f91138e5cd4f0053e

    • SHA1

      94139bac4ae269f6d38f5c7946475855a71c659d

    • SHA256

      0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126

    • SHA512

      bf72078a5cb40f512f3061a13ecaa3f924d70a5a65c2146f3efeca0655c3924f535785698b3db740f4ae1a51ba6685dc4f2afd911d99d3a58eff86f4aa5c18ee

    • SSDEEP

      49152:mhjAJVllHZrhbBruPk+xjSMX4ODTDF8OcFSkMhX:mgVTVXYNX9mOWSkMp

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks