General
-
Target
DCRat Crack Test VERSION.exe
-
Size
3.7MB
-
Sample
230403-v5pzfagb67
-
MD5
0cf54aebcc76f09c147863b916a494fc
-
SHA1
5a41a7060f20f4bc16ba4a60c8f22aa16495cb3e
-
SHA256
0cac16b9e6b85c3415ebc63def32b4bc999182a7a09197afdcf0851f57aae68d
-
SHA512
8dc0c4fe4649523e155bf7c57ceccb70524b27a18374e4e5fa1b991ad322181dca131b99729926f9d54dd3a1c1f86fdb40607a4e9790d0acceef2e116ba4712e
-
SSDEEP
98304:OavNz0cqlVkGIgKuP04hZ9gA2aT3v9f8473v0H:OUNYcqMGIgdrgfaT/p8S3v0H
Static task
static1
Behavioral task
behavioral1
Sample
DCRat Crack Test VERSION.exe
Resource
win7-20230220-en
Malware Config
Targets
-
-
Target
DCRat Crack Test VERSION.exe
-
Size
3.7MB
-
MD5
0cf54aebcc76f09c147863b916a494fc
-
SHA1
5a41a7060f20f4bc16ba4a60c8f22aa16495cb3e
-
SHA256
0cac16b9e6b85c3415ebc63def32b4bc999182a7a09197afdcf0851f57aae68d
-
SHA512
8dc0c4fe4649523e155bf7c57ceccb70524b27a18374e4e5fa1b991ad322181dca131b99729926f9d54dd3a1c1f86fdb40607a4e9790d0acceef2e116ba4712e
-
SSDEEP
98304:OavNz0cqlVkGIgKuP04hZ9gA2aT3v9f8473v0H:OUNYcqMGIgdrgfaT/p8S3v0H
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-