General
-
Target
AIMWARE (infected).zip
-
Size
4.3MB
-
Sample
250108-jxsvks1mb1
-
MD5
a5c285176e4e3e57a21b655b949bc128
-
SHA1
d3b9b8b1315b24c03284a176c8e208a4e3bd741a
-
SHA256
e276411989e7564bf768901faff735fb27f8965be3944bc375b2b749aec450a0
-
SHA512
4db4010ff3f1f544f50b30c5764988f1bfdf7a70bfa32cbb1eafc1e3ec931619278e4a73bcc50c2e190c0f4a252cc494e19e902e0f004281a97f8dd64e3a13da
-
SSDEEP
98304:9ImthBssGDoOPIs79tgLhoKUqArG95ntnfSqpJw9:bTQ379tgL6KTptnJs
Malware Config
Targets
-
-
Target
AIMWARE.exe
-
Size
5.0MB
-
MD5
f8feaec1783bc248b0353f68485aff64
-
SHA1
992edd7ce1421af5adaab756440f35c7fbac5dd0
-
SHA256
5c749f72885b58055103294609da1fdb353c754a5c92c7cfacd4a9154ba092c1
-
SHA512
a8fbb73a28da813f1434685083ae0198cf61ce747e14a88ead68bd87f75b216284027ff4e7926eb8828e92c4001a109a5d890d5350e74df5a5fce2461a156456
-
SSDEEP
98304:IwbrPKbZPs4NDyTVu7DIdMitTS4c1ktbUArj12KYJ9j/:XKdlgjztTBtbUArjn69r
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Checks whether UAC is enabled
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2