General
-
Target
HEUR-Trojan-Spy.MSIL.Stealer.gen-fd9e479531a1.exe
-
Size
1.1MB
-
Sample
230201-qext5sdh65
-
MD5
4f85fd9da0e6d825b520f09905b16301
-
SHA1
11b96ca925a09cd96569c4be2930b9b2bad9dd07
-
SHA256
fd9e479531a11076bfa97269d4562bda4571f3f03f00e049e3e125d82099e942
-
SHA512
cd7d31d8cec1f0aca5597216baffa5fbdaa7b4cf8134f8b0de7f2ed0b97c24c5964cf0508dc115360d5264e093436081970d7acfa6917e0d1a14d34a4774003e
-
SSDEEP
24576:TGyavpdrgnar7l2odPdcsZHpa+AGO05d2GqXW+lWR++4:wlr7tcsZHpaVwulm
Malware Config
Targets
-
-
Target
HEUR-Trojan-Spy.MSIL.Stealer.gen-fd9e479531a1.exe
-
Size
1.1MB
-
MD5
4f85fd9da0e6d825b520f09905b16301
-
SHA1
11b96ca925a09cd96569c4be2930b9b2bad9dd07
-
SHA256
fd9e479531a11076bfa97269d4562bda4571f3f03f00e049e3e125d82099e942
-
SHA512
cd7d31d8cec1f0aca5597216baffa5fbdaa7b4cf8134f8b0de7f2ed0b97c24c5964cf0508dc115360d5264e093436081970d7acfa6917e0d1a14d34a4774003e
-
SSDEEP
24576:TGyavpdrgnar7l2odPdcsZHpa+AGO05d2GqXW+lWR++4:wlr7tcsZHpaVwulm
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Drops file in System32 directory
-