General

  • Target

    FATALITYCRACK.rar

  • Size

    2.7MB

  • Sample

    241122-r6mnxsymfp

  • MD5

    eb91852ed7ae328ed294a75c56582481

  • SHA1

    7d980b6789e74998fd1b906dfb7eda7e3495a127

  • SHA256

    30e973ae2b2420c2506000813d5fc3fb12c4bedc3595b00b097840b597018df9

  • SHA512

    245d39ff89011ea50f42f1098c459349add3a21f8db7d55ddacfe4c812e68920b2a879144ed1845fc6623609cc5a4be7fb8537b0d007607fde289e0eedd89c78

  • SSDEEP

    49152:INSopUBKz7NJ3s9WUt/py3y1VNJNwDn7Fex0P1EDsix6Uqaj:gSopzzZPG/py3ybNgDnBex01RiA2j

Malware Config

Targets

    • Target

      FATALITY/loader.exe

    • Size

      3.2MB

    • MD5

      8faa9e2bbcb1f98cb3971b94f9feda41

    • SHA1

      ab03732cdbc58c752057f2dd3c39e164e222476f

    • SHA256

      026825e9ca81fe52b1833a5e2c838336bc645778da89ff5c266c65c9d750a490

    • SHA512

      5a660bddaf58c15503861663d018e3444c40fc9a62cc2953a60e41c78561014db4911d4f1da80f70a492d6ff912765d93e08c3c39fce921580b034dfcc47d358

    • SSDEEP

      98304:fP8sZQDJ8Apc4VDuZc3PT9ejwigyEgKSkzd1kl86:cs6lrDlT9ej7UgKBLy

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks