General
-
Target
steap_host.exe
-
Size
1.6MB
-
Sample
210721-vm9en1gxb2
-
MD5
dab849743d8384514fe4cf58f671906b
-
SHA1
e7e9ab0b21329fed51499fc928079a9eb99dc202
-
SHA256
f64ced84f1438d56aecfa5e3d380d1a05323eb39653261ed40667316cec660bc
-
SHA512
8ab771717c28fba589c8274fb185570f22a8168ed4fdebb2a651ef582f52e3690fff9ef1886cd6a553ab51ffb4b39843cc9135bdf306e39af61992411ab164d2
Malware Config
Targets
-
-
Target
steap_host.exe
-
Size
1.6MB
-
MD5
dab849743d8384514fe4cf58f671906b
-
SHA1
e7e9ab0b21329fed51499fc928079a9eb99dc202
-
SHA256
f64ced84f1438d56aecfa5e3d380d1a05323eb39653261ed40667316cec660bc
-
SHA512
8ab771717c28fba589c8274fb185570f22a8168ed4fdebb2a651ef582f52e3690fff9ef1886cd6a553ab51ffb4b39843cc9135bdf306e39af61992411ab164d2
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence
-
Modifies Windows Defender Real-time Protection settings
-
DCRat Payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Disables Task Manager via registry modification
-
Executes dropped EXE
-
Adds Run key to start application
-
Drops file in System32 directory
-