General

  • Target

    60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe

  • Size

    2.7MB

  • Sample

    250118-e2z28sspds

  • MD5

    d1793da857eca536d0d06e1bdfa657ab

  • SHA1

    bb07044f5867554c74063d4c9509248657322040

  • SHA256

    60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2

  • SHA512

    8d35eab524e898a14e17185c64e092c56e310f15e3cd2e0bfd533b15c55b78078dfc2dbaeba3d3a5027a96967fca11cf3c60a4fb859e5ecee28addda04238e4b

  • SSDEEP

    49152:yqyJUSQelMhlk1w19BlUobhENGZXxRWi0UAuqYqqnc:PyJlQgGk1wPko1oO30UA7Yqq

Malware Config

Targets

    • Target

      60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe

    • Size

      2.7MB

    • MD5

      d1793da857eca536d0d06e1bdfa657ab

    • SHA1

      bb07044f5867554c74063d4c9509248657322040

    • SHA256

      60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2

    • SHA512

      8d35eab524e898a14e17185c64e092c56e310f15e3cd2e0bfd533b15c55b78078dfc2dbaeba3d3a5027a96967fca11cf3c60a4fb859e5ecee28addda04238e4b

    • SSDEEP

      49152:yqyJUSQelMhlk1w19BlUobhENGZXxRWi0UAuqYqqnc:PyJlQgGk1wPko1oO30UA7Yqq

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks