General

  • Target

    bc4973de07361d1d10fba21f8723950c4f21b3f920625a28fbe3f432cbc8a3f2

  • Size

    1.3MB

  • Sample

    241221-wjje7svndw

  • MD5

    f6fca798992866e9ca4a5ed2877b593f

  • SHA1

    b00d16bca71931ffaca0475ede0ad8e91def06d1

  • SHA256

    bc4973de07361d1d10fba21f8723950c4f21b3f920625a28fbe3f432cbc8a3f2

  • SHA512

    51a94ea9fc32e268e0fec10c68376f879df3d75a498d584baa0dcbea2c8f9355d5a678e2b1a72e4b56d5d8d895594424d4c88f79013d5e162409f8c0a29c8cc5

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Targets

    • Target

      bc4973de07361d1d10fba21f8723950c4f21b3f920625a28fbe3f432cbc8a3f2

    • Size

      1.3MB

    • MD5

      f6fca798992866e9ca4a5ed2877b593f

    • SHA1

      b00d16bca71931ffaca0475ede0ad8e91def06d1

    • SHA256

      bc4973de07361d1d10fba21f8723950c4f21b3f920625a28fbe3f432cbc8a3f2

    • SHA512

      51a94ea9fc32e268e0fec10c68376f879df3d75a498d584baa0dcbea2c8f9355d5a678e2b1a72e4b56d5d8d895594424d4c88f79013d5e162409f8c0a29c8cc5

    • SSDEEP

      24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks