General
-
Target
9sUsHji0MKVo7U2RZ9gX14M.exe
-
Size
1.1MB
-
Sample
230127-d1ymcahg2t
-
MD5
199ccc5abc45dd2c45831f1de72bb58a
-
SHA1
d832e8a52a971432fc575088e37831faec7008f2
-
SHA256
a6b84afa6a28c6032c427152885270d3849a6a4134e442cac42e3f78becefc84
-
SHA512
9f5b808d0d7a2cc09f5455f0090abb763d47d53dea18be3f5e2d44bb2eead80e6934491f13f7def2e17e1e3b89b2103fc122c337adf7243d5b9876e001bf67fc
-
SSDEEP
12288:t6NE5eSwJu37+GXJpkaI7ShG54v4ahgVY3whNG8/LI6i4ejmtnbAouuFteLBdBN9:t6NReJXJIwvJgVQSoPEzKkLXa
Malware Config
Targets
-
-
Target
9sUsHji0MKVo7U2RZ9gX14M.exe
-
Size
1.1MB
-
MD5
199ccc5abc45dd2c45831f1de72bb58a
-
SHA1
d832e8a52a971432fc575088e37831faec7008f2
-
SHA256
a6b84afa6a28c6032c427152885270d3849a6a4134e442cac42e3f78becefc84
-
SHA512
9f5b808d0d7a2cc09f5455f0090abb763d47d53dea18be3f5e2d44bb2eead80e6934491f13f7def2e17e1e3b89b2103fc122c337adf7243d5b9876e001bf67fc
-
SSDEEP
12288:t6NE5eSwJu37+GXJpkaI7ShG54v4ahgVY3whNG8/LI6i4ejmtnbAouuFteLBdBN9:t6NReJXJIwvJgVQSoPEzKkLXa
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-