General

  • Target

    6b0163291d7d628a956106da672d9d887708e549fb6bcfadfa60bbf25972015e

  • Size

    833KB

  • Sample

    230129-1w3rtsfh6x

  • MD5

    2df1a02aa24dbd24ad032ebea74c3563

  • SHA1

    099c1618e594b0acfdf2aab4599021bafb6ab65f

  • SHA256

    6b0163291d7d628a956106da672d9d887708e549fb6bcfadfa60bbf25972015e

  • SHA512

    bca66bd11b0d7861315a69587fb9b7fe7291ae9bc90c7283b0579aad045cc7d6341de1cdfbf44c50153ead45f84d89b7b91bdfbd9be0311b90dec6c280093195

  • SSDEEP

    24576:6AOcZiJriaxuJP03tLLMbzyjQRNNuxGzDvtkTq:AEJ2LU0QLaGz7tkO

Malware Config

Targets

    • Target

      6b0163291d7d628a956106da672d9d887708e549fb6bcfadfa60bbf25972015e

    • Size

      833KB

    • MD5

      2df1a02aa24dbd24ad032ebea74c3563

    • SHA1

      099c1618e594b0acfdf2aab4599021bafb6ab65f

    • SHA256

      6b0163291d7d628a956106da672d9d887708e549fb6bcfadfa60bbf25972015e

    • SHA512

      bca66bd11b0d7861315a69587fb9b7fe7291ae9bc90c7283b0579aad045cc7d6341de1cdfbf44c50153ead45f84d89b7b91bdfbd9be0311b90dec6c280093195

    • SSDEEP

      24576:6AOcZiJriaxuJP03tLLMbzyjQRNNuxGzDvtkTq:AEJ2LU0QLaGz7tkO

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Disables Task Manager via registry modification

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks