Overview
overview
10Static
static
100b74a99460...69.exe
windows10-1703-x64
100b74a99460...69.exe
windows7-x64
100b74a99460...69.exe
windows10-2004-x64
10VinyLauncher.exe
windows10-1703-x64
10VinyLauncher.exe
windows7-x64
8VinyLauncher.exe
windows10-2004-x64
10a2719b1149...56.exe
windows10-1703-x64
10a2719b1149...56.exe
windows7-x64
10a2719b1149...56.exe
windows10-2004-x64
10e6b6a16d17...58.exe
windows10-1703-x64
10e6b6a16d17...58.exe
windows7-x64
10e6b6a16d17...58.exe
windows10-2004-x64
10tmp.exe
windows10-1703-x64
10tmp.exe
windows7-x64
10tmp.exe
windows10-2004-x64
10General
-
Target
dcrat.zip
-
Size
18.5MB
-
Sample
221226-ab851acc75
-
MD5
956a2f758d73f2fad917b2d7b3211c6d
-
SHA1
5b608536a3097fa93da20fd9e7e1e10ed0c5511e
-
SHA256
b82f23ee8617e7ad47d7513fe175e7211564eed5442002927a415d7a035da5cf
-
SHA512
e0ecf94246808f273f84f211581ba476dbd027b36b033b3bbe707b4e3723b6c48b2941704d092af29ff96b577d172f7164dd8da24ec3acdcf3ba9d95d62a8469
-
SSDEEP
393216:rAwNiXm1VRAwNiXMXTW3ZVxQdUCiRWA69dJsfUEGafVgB+UcSgnutEZ80ZhLC:r1VVR1fTaZ+iGJsfUEGqgB+U05FC
Behavioral task
behavioral1
Sample
0b74a99460e2b8051d917c392d1079a646435188b84d6998afed2c458bf83a69.exe
Resource
win10-20220812-en
Behavioral task
behavioral2
Sample
0b74a99460e2b8051d917c392d1079a646435188b84d6998afed2c458bf83a69.exe
Resource
win7-20221111-en
Behavioral task
behavioral3
Sample
0b74a99460e2b8051d917c392d1079a646435188b84d6998afed2c458bf83a69.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral4
Sample
VinyLauncher.exe
Resource
win10-20220901-en
Behavioral task
behavioral5
Sample
VinyLauncher.exe
Resource
win7-20221111-en
Behavioral task
behavioral6
Sample
VinyLauncher.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral7
Sample
a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exe
Resource
win10-20220812-en
Behavioral task
behavioral8
Sample
a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exe
Resource
win7-20220812-en
Behavioral task
behavioral9
Sample
a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral10
Sample
e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe
Resource
win10-20220812-en
Behavioral task
behavioral11
Sample
e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe
Resource
win7-20221111-en
Behavioral task
behavioral12
Sample
e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral13
Sample
tmp.exe
Resource
win10-20220901-en
Behavioral task
behavioral14
Sample
tmp.exe
Resource
win7-20221111-en
Behavioral task
behavioral15
Sample
tmp.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
https://ipinfo.io/ip
Targets
-
-
Target
0b74a99460e2b8051d917c392d1079a646435188b84d6998afed2c458bf83a69
-
Size
1.3MB
-
MD5
e1e945f04fbbeab2efa06d16d21e4c22
-
SHA1
54037b5b03272d255ab875b5791f87902c5b9457
-
SHA256
0b74a99460e2b8051d917c392d1079a646435188b84d6998afed2c458bf83a69
-
SHA512
61dfbe4d1803ba11f7318b1338343529be925bd84ba107bccb9d7c3f8175a012ea877a613946419f8486cd1c1606d7433c07342278a8c670a5013e999308ae41
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
-
-
Target
VinyLauncher.exe
-
Size
160KB
-
MD5
6260d545ece6e4f04cafc98adf93ff7b
-
SHA1
5f4f3a9edee92982ba2ff096827fc4da8ecc649a
-
SHA256
8ddb7cbefe9e072050de7fca61b3db887abfdae8bc4f06ffca6446fac3c8c10f
-
SHA512
c80d7b4bf465a43b1a6a1168105ad96b866943339ef109283b5105dd44681ed5799e37996ee87bbceccf0f9bf3a9627c97aa660318c1a7e493be61b5e29c722a
-
SSDEEP
3072:vPw/kZu7QBUiLkFcEdKS2fpp/9eLjEHj9t39cDLztUbkxl:AENBUiLkFcEcS2fppVeLjEHvNcDLzSb
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies security service
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
XMRig Miner payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56
-
Size
1.7MB
-
MD5
c090c2077f7c71e38f4b7fedfe0ef1e3
-
SHA1
2d01b3e7f9f80961aa6bada443a5d969bf88c052
-
SHA256
a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56
-
SHA512
150d46cd92ab52985ee1cfa197ecfb50fe83c3d7070b99ffd187e72582b6b539e63edb990dc820882a900f446512c391557848568c35d57382abb48207e0d028
-
SSDEEP
24576:U2G/nvxW3Ww0tjWmsIUvGdf4wNKfgo9WB4E/rR9NVGIoUtcrneDa0kPs/MQdb6Of:UbA30jW9vgwrng9EIZyqa0esNnN5P
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
-
-
Target
e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458
-
Size
1.3MB
-
MD5
adde6baef89ebb01b5e60f15610ba470
-
SHA1
edc49b43aa822b754ee617db11c3ffc1a3e79ec1
-
SHA256
e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458
-
SHA512
89ebfaafca6347cced23fd73aee44483118d4806c339048df9ba9da5f775f84ce6b6876a8399617abfbf1ae23cfd0b78825f85f50efdcc2c9e3c88cb8e122a30
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
tmp
-
Size
15.7MB
-
MD5
b27e540aef37c99f3cfd2766c2e61784
-
SHA1
c516b74daec17d1bc788c54433cf10899ee07e92
-
SHA256
28ebd60f492ca0957ac7ab3fdbcd8262966dee60dbec71d6bcac8d7efaf65479
-
SHA512
641d5daaef91d535f279ce7fea1f7c8b50ba87040480602e51951dfc2f3345699d3161d38b1b2ab7b3d4fbbcc56e0d597f125ed65ea3971df4888cb4a63897cd
-
SSDEEP
393216:XhBqJ0CE8/eXkkM7cGGBNpuXU8ysXVqNIyc2KBcr27eEHTPX:RBe0CiMihuXU8yYqNIygdrX
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence
-
Modifies security service
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Possible privilege escalation attempt
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Scheduled Task
5Modify Existing Service
3Winlogon Helper DLL
1Account Manipulation
1Registry Run Keys / Startup Folder
1