General

  • Target

    403138422d8da9fdd31fe147959a1403.bin

  • Size

    1.7MB

  • Sample

    241230-blpd1sspgs

  • MD5

    5089692e32a47ee03e7105182585ec87

  • SHA1

    1c833598f1c80f5328cfeb972086a5a647fb6eac

  • SHA256

    fb4541149243c253e9029a1f33c4e915933aee220954a8e8c1982f9ca2522327

  • SHA512

    41500d001d48130b59c9bfa9b6c89a521dc0b6bbc86c6ec2bd96a698bbbc4007371411631cb2c17174813ee5b8e6243c8401ceecc5b9fc16299e694588bfc356

  • SSDEEP

    49152:X7h1UfchfFq/R+LaSdd0nHbcDHi/xVjzj5gvFZYJ4:dRPndG7e2njR4

Malware Config

Targets

    • Target

      4b1a5d38d7741fea74f2cf45d5b215955ba9fe117d6f6a0e7ecbef64118c449b.exe

    • Size

      2.2MB

    • MD5

      403138422d8da9fdd31fe147959a1403

    • SHA1

      913139b08964bc2039eeeea9f491c5c8507b7dcc

    • SHA256

      4b1a5d38d7741fea74f2cf45d5b215955ba9fe117d6f6a0e7ecbef64118c449b

    • SHA512

      3aec241bc828aa7878a632e9e44e3c7daf982e4c412efc499c40e04b88d48b9c2c62e01f00b014ea57148623d022e8c96a3d240b67df5045b746c4b0198e9afb

    • SSDEEP

      49152:IBJ7Zxl12Ref9smYan+7TzjNWScGYDe9eq97DUczTG:ypDzKehnMhtXY6rZYcG

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Enterprise v15

Tasks