General
-
Target
b5a1474fcb8f7b9809d52546bd304af3.exe
-
Size
2.2MB
-
Sample
241216-2492jstndp
-
MD5
b5a1474fcb8f7b9809d52546bd304af3
-
SHA1
8604fe586fa0d03adaa6608169a62c65c837de7d
-
SHA256
dc83dbd12c5a432a6c168982e55d6c7be89dd0bc4b915e3e93e3a97c8af0ab0d
-
SHA512
39931300c863c521957dd5d842c0c6e0d66d2b43663136375e21feb26181bd1c9d4494025e0e7a00b80b51405d1e67bfe825787e60c1b99998463b4e3a49a7ee
-
SSDEEP
49152:IBJVhKLUy2ich2Y+jCRZCH77sVccM50sF/CwsuVoM:y3hKPFch2YHgbucc00OdoM
Malware Config
Targets
-
-
Target
b5a1474fcb8f7b9809d52546bd304af3.exe
-
Size
2.2MB
-
MD5
b5a1474fcb8f7b9809d52546bd304af3
-
SHA1
8604fe586fa0d03adaa6608169a62c65c837de7d
-
SHA256
dc83dbd12c5a432a6c168982e55d6c7be89dd0bc4b915e3e93e3a97c8af0ab0d
-
SHA512
39931300c863c521957dd5d842c0c6e0d66d2b43663136375e21feb26181bd1c9d4494025e0e7a00b80b51405d1e67bfe825787e60c1b99998463b4e3a49a7ee
-
SSDEEP
49152:IBJVhKLUy2ich2Y+jCRZCH77sVccM50sF/CwsuVoM:y3hKPFch2YHgbucc00OdoM
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1