General

  • Target

    078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd

  • Size

    3.6MB

  • Sample

    241127-vezqyssjfx

  • MD5

    646a50d060ae1b649f0ca735aabf5744

  • SHA1

    a666932e153ef1d2c2463009e0df4de9bdf73322

  • SHA256

    078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd

  • SHA512

    0872641f90557c8ab8dd015b9486061b85a48ab7db06a74f6787ab87685f2bb6358eda822ba16757a7b6fc8fe1744a831ea76f47d6130225596a285bf9dd1f4c

  • SSDEEP

    98304:EbRxeIaNRcgnk9MO32RzRpAH267w3adH2fte4I/Bu:E+IoREF32B67wuH2I5/M

Malware Config

Targets

    • Target

      078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd

    • Size

      3.6MB

    • MD5

      646a50d060ae1b649f0ca735aabf5744

    • SHA1

      a666932e153ef1d2c2463009e0df4de9bdf73322

    • SHA256

      078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd

    • SHA512

      0872641f90557c8ab8dd015b9486061b85a48ab7db06a74f6787ab87685f2bb6358eda822ba16757a7b6fc8fe1744a831ea76f47d6130225596a285bf9dd1f4c

    • SSDEEP

      98304:EbRxeIaNRcgnk9MO32RzRpAH267w3adH2fte4I/Bu:E+IoREF32B67wuH2I5/M

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks