General

  • Target

    6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe

  • Size

    2.0MB

  • Sample

    241114-f43rksvfqq

  • MD5

    43a09f586ae8fe86191c47743b5cf744

  • SHA1

    a8bc2177c871d0d29e93737a7ebcaa3da8f182de

  • SHA256

    6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58

  • SHA512

    ff8acde081b435a1bb0f204359bd7227b380a66e61472546016db41c53c7708c91215af8fbc3fdc8a99d1e15f6139c3e278b04dc483ecc3d952a2d1240efa104

  • SSDEEP

    49152:+bv4/KHiciethGCUA1TJeUCMkiOT3eY1CKzuJtGvAAzB:+bv4/BUVb5JLChiAu1evAoB

Malware Config

Targets

    • Target

      6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe

    • Size

      2.0MB

    • MD5

      43a09f586ae8fe86191c47743b5cf744

    • SHA1

      a8bc2177c871d0d29e93737a7ebcaa3da8f182de

    • SHA256

      6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58

    • SHA512

      ff8acde081b435a1bb0f204359bd7227b380a66e61472546016db41c53c7708c91215af8fbc3fdc8a99d1e15f6139c3e278b04dc483ecc3d952a2d1240efa104

    • SSDEEP

      49152:+bv4/KHiciethGCUA1TJeUCMkiOT3eY1CKzuJtGvAAzB:+bv4/BUVb5JLChiAu1evAoB

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks