General
-
Target
02965599.exe
-
Size
2.6MB
-
Sample
230613-nz677sga42
-
MD5
372cc839865083adf0f65df5328bd899
-
SHA1
c0b501e644a12cd28957359f81e984b669c630a4
-
SHA256
147e07c4f900dbd2c64b3bf60502937838a2b2afed76ada94ef8705a12b5b6a6
-
SHA512
09ca0793b79583178f2aa9de209adaa73e4ca3c898bf732ee4874adea070caacebaec961772feca62816c0c45de0acc7ca940e08862c14b7b01178649eabc36e
-
SSDEEP
49152:UbA30qPDl0T7HdZNFvKiUy2CDnVjT6f3XFmI2:UbcJ0T7jvL+2BTsHFmI2
Malware Config
Targets
-
-
Target
02965599.exe
-
Size
2.6MB
-
MD5
372cc839865083adf0f65df5328bd899
-
SHA1
c0b501e644a12cd28957359f81e984b669c630a4
-
SHA256
147e07c4f900dbd2c64b3bf60502937838a2b2afed76ada94ef8705a12b5b6a6
-
SHA512
09ca0793b79583178f2aa9de209adaa73e4ca3c898bf732ee4874adea070caacebaec961772feca62816c0c45de0acc7ca940e08862c14b7b01178649eabc36e
-
SSDEEP
49152:UbA30qPDl0T7HdZNFvKiUy2CDnVjT6f3XFmI2:UbcJ0T7jvL+2BTsHFmI2
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Disables Task Manager via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-