General
-
Target
3d454a64e7f14ab734752a9414f8cbd0.exe
-
Size
2.5MB
-
Sample
230119-en4s9sbg2z
-
MD5
3d454a64e7f14ab734752a9414f8cbd0
-
SHA1
a239dccbba74d4d17fae19552e122043f9501b2d
-
SHA256
286acc4048494eecfb642fa7c95f459551c0fa3f7d2d117c8792cb6a1b3ab33d
-
SHA512
4cfb9e4005fd18c3d9b0805c64fd34627c7090e8945fd7aa8fc0ba91babe6840a660245547b8971467416c629ad28e4362298520dbe9efdb734c310ff3ed0f77
-
SSDEEP
49152:iSg8kOqBMdDhtQM4I+MkmJm9LcBwQYdXQ4J:9fkOqGhhtn9+nmJm9LcBCXvJ
Malware Config
Targets
-
-
Target
3d454a64e7f14ab734752a9414f8cbd0.exe
-
Size
2.5MB
-
MD5
3d454a64e7f14ab734752a9414f8cbd0
-
SHA1
a239dccbba74d4d17fae19552e122043f9501b2d
-
SHA256
286acc4048494eecfb642fa7c95f459551c0fa3f7d2d117c8792cb6a1b3ab33d
-
SHA512
4cfb9e4005fd18c3d9b0805c64fd34627c7090e8945fd7aa8fc0ba91babe6840a660245547b8971467416c629ad28e4362298520dbe9efdb734c310ff3ed0f77
-
SSDEEP
49152:iSg8kOqBMdDhtQM4I+MkmJm9LcBwQYdXQ4J:9fkOqGhhtn9+nmJm9LcBCXvJ
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-