General
-
Target
58c06312c4b8a6e6e68873da9afe2a79a486e16a2d764f7268880ae27bf0d8be
-
Size
7.4MB
-
Sample
230508-cw3j3aae5w
-
MD5
f7d0e149bddca9ffb632c4bc87f30163
-
SHA1
d5d2fe6bc68b267a9528d83d6b687295b281d0dc
-
SHA256
58c06312c4b8a6e6e68873da9afe2a79a486e16a2d764f7268880ae27bf0d8be
-
SHA512
34b2868f9e4836dc6457c9b840ccd60396580891d22a0c0192e7adfef6789248f8baa636602bff100910908dc84982be738b9dc5028742734819ae6d2019c209
-
SSDEEP
196608:qfzxcG5n/2lsE6DZiQlPjq/0zSPLIbymyPj:qfzxcYn/28DZiQhlz67
Malware Config
Targets
-
-
Target
58c06312c4b8a6e6e68873da9afe2a79a486e16a2d764f7268880ae27bf0d8be
-
Size
7.4MB
-
MD5
f7d0e149bddca9ffb632c4bc87f30163
-
SHA1
d5d2fe6bc68b267a9528d83d6b687295b281d0dc
-
SHA256
58c06312c4b8a6e6e68873da9afe2a79a486e16a2d764f7268880ae27bf0d8be
-
SHA512
34b2868f9e4836dc6457c9b840ccd60396580891d22a0c0192e7adfef6789248f8baa636602bff100910908dc84982be738b9dc5028742734819ae6d2019c209
-
SSDEEP
196608:qfzxcG5n/2lsE6DZiQlPjq/0zSPLIbymyPj:qfzxcYn/28DZiQhlz67
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies security service
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Drops file in Drivers directory
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-