General
-
Target
718c1a4f0cdacf94d4d6ad97e06a459f.bin
-
Size
10.0MB
-
Sample
230322-bx2hqaeb56
-
MD5
44455c29a6cda31fe83c711574fae061
-
SHA1
93b208731aaf0881eeaf83ada51f0b05e389f3a4
-
SHA256
442e9da5b83a8273d33a95a6cdbe4d6fc9c38fd95f87a007025d959891e7346a
-
SHA512
e354a08a4bebb4d302b5d5acd300be9ed0d983af24678c8b41306fdfc437697c2c5c50cab9529240e0d4b1ca221437ee6029c44acbe73fc563c609e2af3e34ff
-
SSDEEP
196608:Vm6QJBNHlU1Q7vGJQ+PkzbzQ7ydqLY/WXRwwNBtoLc1fh2A4z368YV:Vm6Qbr7ui+8Hz8y4ceXR9vQ2h54z3684
Malware Config
Targets
-
-
Target
7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe
-
Size
10.0MB
-
MD5
718c1a4f0cdacf94d4d6ad97e06a459f
-
SHA1
f7ea9a4f39e415c15ef563ecd4f381013e52d3a7
-
SHA256
7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033
-
SHA512
8a3d55db0a4eae644922895e140269f22f8214af875bf3544255bcc1be6b1de9a1274b1dd41cc4ac5826a9ac5e1d8d216994891dc124c01ba722db214652f80e
-
SSDEEP
196608:2JJ8G/X6v9189c+HzrMyU59NSOWQqA00aWOj/AoDvVq:2JJTCv8cEnMrrNSOhLPOj/Pv
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies security service
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-