General
-
Target
NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
-
Size
1.8MB
-
Sample
231023-weq99abg8y
-
MD5
042131ad58f4624f9722ce342319396b
-
SHA1
e55031479a1a376eb230d91ae3352dfb24b5abaf
-
SHA256
ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1
-
SHA512
aaed88b7be43daa14798b867c3ec3c67c0c079bb50a496ff0ecf4db7709f77917882c9d8f02ad0e6b090ce5a3dca8e644948631b539aaca3885908df92e34505
-
SSDEEP
24576:hV2ut7GyxsE5HOT3RcchdduLG0ZAQo0wRBq+QEf9oDGIv:bjtFsRcQdiG0ZvcuGy
Malware Config
Targets
-
-
Target
NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
-
Size
1.8MB
-
MD5
042131ad58f4624f9722ce342319396b
-
SHA1
e55031479a1a376eb230d91ae3352dfb24b5abaf
-
SHA256
ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1
-
SHA512
aaed88b7be43daa14798b867c3ec3c67c0c079bb50a496ff0ecf4db7709f77917882c9d8f02ad0e6b090ce5a3dca8e644948631b539aaca3885908df92e34505
-
SSDEEP
24576:hV2ut7GyxsE5HOT3RcchdduLG0ZAQo0wRBq+QEf9oDGIv:bjtFsRcQdiG0ZvcuGy
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1