General
-
Target
pTdbWeYTRtzW2gi.exe
-
Size
1.1MB
-
Sample
230130-cmvg4adf24
-
MD5
8496c268e5795f8734c886bf68ee141c
-
SHA1
dc642bd6fc6fad71ab5ac10cc35a040ad993db5c
-
SHA256
576437a881af98afed6680cd7fe0ae52adb87a528ece6d367eaf436765fe1d9e
-
SHA512
f7b7681352174ec9096fdf0dca8bbfaabac219cbea6f134fcd139cc77b52f861cc2034f8dda8c7d945c57ed6777fc193805ada1b95f8f2408cfd023c77a2d026
-
SSDEEP
12288:t6NE5eSwJu37+GXJpkaI7ShG54v4ahgVY3whNG8/LI6i4ejmtnbAouuFteLBdBN9:t6NReJXJIwvJgVQSoPEzKkLXa
Malware Config
Targets
-
-
Target
pTdbWeYTRtzW2gi.exe
-
Size
1.1MB
-
MD5
8496c268e5795f8734c886bf68ee141c
-
SHA1
dc642bd6fc6fad71ab5ac10cc35a040ad993db5c
-
SHA256
576437a881af98afed6680cd7fe0ae52adb87a528ece6d367eaf436765fe1d9e
-
SHA512
f7b7681352174ec9096fdf0dca8bbfaabac219cbea6f134fcd139cc77b52f861cc2034f8dda8c7d945c57ed6777fc193805ada1b95f8f2408cfd023c77a2d026
-
SSDEEP
12288:t6NE5eSwJu37+GXJpkaI7ShG54v4ahgVY3whNG8/LI6i4ejmtnbAouuFteLBdBN9:t6NReJXJIwvJgVQSoPEzKkLXa
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-