General

  • Target

    devalt.exe

  • Size

    2.0MB

  • Sample

    230630-plvspabb46

  • MD5

    fc9ea28a3c3659c4200e442d20198458

  • SHA1

    79ede873cd08d5941e54524dd85b5add0a79bd7c

  • SHA256

    51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0

  • SHA512

    c2357a0eb6fd31929af57c544be2de14b0daee2a731ec09e586b0ac748b7368ae5a022d0d8dae0ccece0fa860799a0da02405f60d86a963e177508b5e4220a17

  • SSDEEP

    49152:ubA3jVKbYcU6bWUfj4a7syRO2tzK/RNS/2t:ubjJXj4a4IKJYet

Score
10/10

Malware Config

Targets

    • Target

      devalt.exe

    • Size

      2.0MB

    • MD5

      fc9ea28a3c3659c4200e442d20198458

    • SHA1

      79ede873cd08d5941e54524dd85b5add0a79bd7c

    • SHA256

      51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0

    • SHA512

      c2357a0eb6fd31929af57c544be2de14b0daee2a731ec09e586b0ac748b7368ae5a022d0d8dae0ccece0fa860799a0da02405f60d86a963e177508b5e4220a17

    • SSDEEP

      49152:ubA3jVKbYcU6bWUfj4a7syRO2tzK/RNS/2t:ubjJXj4a4IKJYet

    Score
    10/10
    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v6

Tasks