General
-
Target
NursultanAlphaCrack.bat.exe
-
Size
2.7MB
-
Sample
250113-pewrea1qbw
-
MD5
df15d1f8f7cc71bb1889895b367c7d2c
-
SHA1
4a9d087d105976a1f7a1c7444a25b5e0a8ac0622
-
SHA256
09bdb3282e1927dcb848126823280b066827c5dadd17ee6d445922440889d8f2
-
SHA512
3c5215abd2ca1cee15ae3592eea15cebec2ce0127221c96634ad07ea53cf9fa397bfecd229a56b38c879f2fe6dadfc8bd58ac6541bcfc6eba65017d4b3694e4f
-
SSDEEP
49152:IBJVZP6vgp9kHCayPPLHCLXbX4pKXDys7yqmHji4Rnh:y7oYp9kiHPbCfX4rsu3GQh
Malware Config
Targets
-
-
Target
NursultanAlphaCrack.bat.exe
-
Size
2.7MB
-
MD5
df15d1f8f7cc71bb1889895b367c7d2c
-
SHA1
4a9d087d105976a1f7a1c7444a25b5e0a8ac0622
-
SHA256
09bdb3282e1927dcb848126823280b066827c5dadd17ee6d445922440889d8f2
-
SHA512
3c5215abd2ca1cee15ae3592eea15cebec2ce0127221c96634ad07ea53cf9fa397bfecd229a56b38c879f2fe6dadfc8bd58ac6541bcfc6eba65017d4b3694e4f
-
SSDEEP
49152:IBJVZP6vgp9kHCayPPLHCLXbX4pKXDys7yqmHji4Rnh:y7oYp9kiHPbCfX4rsu3GQh
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1