General
-
Target
8BP_Cheto_Updated.rar
-
Size
10.0MB
-
Sample
230325-nlx3dacd76
-
MD5
1647bffdf64aff25ed0fcb0fcb3fe756
-
SHA1
e84a9291e21b97ff176a4c4f930a770950bfe857
-
SHA256
a165146ac8257340eeae4ae6a89a0c81f8e8ef743fda1e671b34b226fca9ff5e
-
SHA512
399b0775354434e8fa8990b5938dbfd0c0e885cbb08dd28fa765dc828dc45f7dc169c71cf30ea5abc0b7d23433e6c6b4a2c67a2033faace01e7cfe16a01052d7
-
SSDEEP
196608:qHaH3sIvJUsn64SFyZGI4TH7tFTfuZ6DJbpDf/0pNIFQPMkdYiv+21vnzF:hHH6AcyZf4LvTXtbpDyFPMkTv+ezF
Malware Config
Targets
-
-
Target
8BP_Cheto.exe
-
Size
10.0MB
-
MD5
718c1a4f0cdacf94d4d6ad97e06a459f
-
SHA1
f7ea9a4f39e415c15ef563ecd4f381013e52d3a7
-
SHA256
7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033
-
SHA512
8a3d55db0a4eae644922895e140269f22f8214af875bf3544255bcc1be6b1de9a1274b1dd41cc4ac5826a9ac5e1d8d216994891dc124c01ba722db214652f80e
-
SSDEEP
196608:2JJ8G/X6v9189c+HzrMyU59NSOWQqA00aWOj/AoDvVq:2JJTCv8cEnMrrNSOhLPOj/Pv
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-