General

  • Target

    af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe

  • Size

    1.7MB

  • Sample

    241118-xcswqssenc

  • MD5

    6d41ecedcce80f8c3fa81d06041101e8

  • SHA1

    a0c354fc73043792e994309472a61ddb35144a0d

  • SHA256

    af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd

  • SHA512

    874a83462cbc5ac0f71b0b18ab07a284106cdbfb19f170c83bc954cf1b017634e57374971df1f1a4ac33b24d91ebb234fcff80de5bd94a74a144f84c205557d5

  • SSDEEP

    24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJz:NgwuuEpdDLNwVMeXDL0fdSzAGM

Malware Config

Targets

    • Target

      af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe

    • Size

      1.7MB

    • MD5

      6d41ecedcce80f8c3fa81d06041101e8

    • SHA1

      a0c354fc73043792e994309472a61ddb35144a0d

    • SHA256

      af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd

    • SHA512

      874a83462cbc5ac0f71b0b18ab07a284106cdbfb19f170c83bc954cf1b017634e57374971df1f1a4ac33b24d91ebb234fcff80de5bd94a74a144f84c205557d5

    • SSDEEP

      24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJz:NgwuuEpdDLNwVMeXDL0fdSzAGM

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks