General

  • Target

    b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe

  • Size

    912KB

  • Sample

    241123-vpwr2sykfs

  • MD5

    ce162876a4c72ca0da4b96a16a5833ac

  • SHA1

    c1e7998c66f153719672bbd1e7fe6103a12869c2

  • SHA256

    b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04

  • SHA512

    1fe9474a4bfd6a4a74f8e4db88e4719ad6b1aa0a4efafc12e29a207ebc969284c96a276ad06e44ccd91f8f260f7e076c4b1a8d4504dd0ebd0d9017dbde1c4cd6

  • SSDEEP

    24576:Sa3x1VStiA7iw63VboDAJDyL+qq+aWTIN+4e:Rswq63IEUj

Malware Config

Targets

    • Target

      b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe

    • Size

      912KB

    • MD5

      ce162876a4c72ca0da4b96a16a5833ac

    • SHA1

      c1e7998c66f153719672bbd1e7fe6103a12869c2

    • SHA256

      b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04

    • SHA512

      1fe9474a4bfd6a4a74f8e4db88e4719ad6b1aa0a4efafc12e29a207ebc969284c96a276ad06e44ccd91f8f260f7e076c4b1a8d4504dd0ebd0d9017dbde1c4cd6

    • SSDEEP

      24576:Sa3x1VStiA7iw63VboDAJDyL+qq+aWTIN+4e:Rswq63IEUj

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks