General
-
Target
12.zip
-
Size
190B
-
Sample
241219-wflq6axnel
-
MD5
acade08e83e1ef0264a7683ea9c17c2e
-
SHA1
e9aeff6ca39b52349c73af659b4d1a10a8859117
-
SHA256
c46112e4d73ebc9078837adc6e71113ca6f485a3f0a3a5437ddb2cae5356b02c
-
SHA512
38f17b4c6c6e5e3f63c40039ca463b0b7543526f57ab6009a912b780977c3be0c72a3f37a612c1f9da88a09cba382ad6e4a79aad24c7c8adef88d0f2e791ea85
Malware Config
Targets
-
-
Target
Hid.bat
-
Size
42B
-
MD5
43cd3c49420b97a7e59f4505e592c497
-
SHA1
b404d304be17050293e6afbe607d507c03e48154
-
SHA256
44b7b386c2fc2a0e0e9e37e67c163f3cb5588bfd8d861315fa83ed10398538ea
-
SHA512
977b04f7cf0cf3b43ce491f661134184029c7381baeef1a920fe15c6d2b2f522f27f105a45234eb152f6073ed5adfa8db48efa2e6c9c458bf54b2c6f5e776696
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
A potential corporate email address has been identified in the URL: currency-file@1
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Blocklisted process makes network request
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1Discovery
Browser Information Discovery
1Peripheral Device Discovery
2Query Registry
6Remote System Discovery
1System Information Discovery
7System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1