General

  • Target

    0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe

  • Size

    2.7MB

  • Sample

    241122-2xd1ja1pfy

  • MD5

    9ee80d36d88c45263efe383594c9e691

  • SHA1

    48474dc934a74661330f307b199581867f6baa7c

  • SHA256

    0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd

  • SHA512

    ae1fab9d36bcef8c8e65c2e93e42ff83f8fc7641d1a1662b8ecd959fd2a28cd1c57cb751ce83c8d7f815cc10e8d226065b224303ef19b53508ba0a3601337f81

  • SSDEEP

    24576:S+O4GERsRRVgXtXzrTiJe48ySFtPNe5fO:lirO9P348yqb

Malware Config

Targets

    • Target

      0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd.exe

    • Size

      2.7MB

    • MD5

      9ee80d36d88c45263efe383594c9e691

    • SHA1

      48474dc934a74661330f307b199581867f6baa7c

    • SHA256

      0a5b531197542f39a3dd325cdf0ffe37d771a4c3620e6d5317c3c2c845b6a3bd

    • SHA512

      ae1fab9d36bcef8c8e65c2e93e42ff83f8fc7641d1a1662b8ecd959fd2a28cd1c57cb751ce83c8d7f815cc10e8d226065b224303ef19b53508ba0a3601337f81

    • SSDEEP

      24576:S+O4GERsRRVgXtXzrTiJe48ySFtPNe5fO:lirO9P348yqb

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks