General
-
Target
HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe
-
Size
1.5MB
-
Sample
230116-vmd48aeb71
-
MD5
413be497be904c09aa8bfe8f0182a949
-
SHA1
9c5a69c83dbe2629290823d33c0afbce6d37f7bf
-
SHA256
6cba34b2db52a921c97910d0e3122239c726c993b1d8c0e208f21502cfe20e21
-
SHA512
01d60225abe49efdade7ca5c79c0c73c22931c837bc4d67703b273c84bc76903d749f75c39e4b17d29a343b53ab77a1b4c90ad9f86a08468a7d0c627439f7bee
-
SSDEEP
24576:Ut0u6OwrhMEjG9rSVSv52b/1RPc0I+7xPgXJsVUAvu6jFShHpNpV8xH7+4:Uth6l+eGtUvcx+GXJsVXu6jFKpveK
Malware Config
Targets
-
-
Target
HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe
-
Size
1.5MB
-
MD5
413be497be904c09aa8bfe8f0182a949
-
SHA1
9c5a69c83dbe2629290823d33c0afbce6d37f7bf
-
SHA256
6cba34b2db52a921c97910d0e3122239c726c993b1d8c0e208f21502cfe20e21
-
SHA512
01d60225abe49efdade7ca5c79c0c73c22931c837bc4d67703b273c84bc76903d749f75c39e4b17d29a343b53ab77a1b4c90ad9f86a08468a7d0c627439f7bee
-
SSDEEP
24576:Ut0u6OwrhMEjG9rSVSv52b/1RPc0I+7xPgXJsVUAvu6jFShHpNpV8xH7+4:Uth6l+eGtUvcx+GXJsVXu6jFKpveK
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Drops file in System32 directory
-