General
-
Target
1889e4152e16cfe78a18739fed6fb08a.dll
-
Size
2.7MB
-
Sample
220907-lw8krabff5
-
MD5
1889e4152e16cfe78a18739fed6fb08a
-
SHA1
5e6f4589a3006a311e02ade1384b9898f490b597
-
SHA256
6983444f08941c47b17a1c0f23431f538340e0febaa5858a4afed5bb75650908
-
SHA512
89339007911e01c6d7f24737efa92fc61d1287a31dcee2e802d381c2a9981375212b19bcc270a39a3872b1b4983eb07a4caa4cbf9fa7f6822408263346e83488
-
SSDEEP
49152:UnwY5UQC3ad5/iojZIphmzJAwSXX6cIOjYzxlOwtqo:yj9JAwyqKjYzxlOwz
Malware Config
Targets
-
-
Target
1889e4152e16cfe78a18739fed6fb08a.dll
-
Size
2.7MB
-
MD5
1889e4152e16cfe78a18739fed6fb08a
-
SHA1
5e6f4589a3006a311e02ade1384b9898f490b597
-
SHA256
6983444f08941c47b17a1c0f23431f538340e0febaa5858a4afed5bb75650908
-
SHA512
89339007911e01c6d7f24737efa92fc61d1287a31dcee2e802d381c2a9981375212b19bcc270a39a3872b1b4983eb07a4caa4cbf9fa7f6822408263346e83488
-
SSDEEP
49152:UnwY5UQC3ad5/iojZIphmzJAwSXX6cIOjYzxlOwtqo:yj9JAwyqKjYzxlOwz
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Windows security bypass
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-