General

  • Target

    501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad

  • Size

    1.4MB

  • Sample

    241127-vb3nfa1rfx

  • MD5

    181d043c0617914801548f09d5b776d4

  • SHA1

    757f042065a3dc2c9f73e635b41f83591c8ad647

  • SHA256

    501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad

  • SHA512

    c56897c04b11db7c09ef21be8fe6a541c3c9ffb428b3e1340fce5b035f9f74bb133b57e7cc0852730efd20b4a49da0e8a79b6390f105d18f9fb39461559be574

  • SSDEEP

    24576:6oIREGQw97lGTIYskQyxNtGSKERqWzAcqGv+3spCElJz009I+LU:gRdGcHkBxNYARdzAcqGv+cphlJzxV

Malware Config

Targets

    • Target

      501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad

    • Size

      1.4MB

    • MD5

      181d043c0617914801548f09d5b776d4

    • SHA1

      757f042065a3dc2c9f73e635b41f83591c8ad647

    • SHA256

      501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad

    • SHA512

      c56897c04b11db7c09ef21be8fe6a541c3c9ffb428b3e1340fce5b035f9f74bb133b57e7cc0852730efd20b4a49da0e8a79b6390f105d18f9fb39461559be574

    • SSDEEP

      24576:6oIREGQw97lGTIYskQyxNtGSKERqWzAcqGv+3spCElJz009I+LU:gRdGcHkBxNYARdzAcqGv+cphlJzxV

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks