General

  • Target

    DCRatBuild.exe

  • Size

    2.2MB

  • Sample

    231204-cjd1yage61

  • MD5

    6eb433b80c109ad5d2342a461cf344cf

  • SHA1

    1db227016fce2475e2c6e957330afc6e64e2064e

  • SHA256

    d4a578ec1a8a2ea4ad971310ecebb996529d90a7ebe264be20fb57d5a25371e2

  • SHA512

    1585da261489db71390d4af718b1c92b713f2df6ed234e385aba264be5213c0c9987890b9a80e5e1f903eb2f24a7bd105390e1303ca06c8083f21e64f8e8d3a4

  • SSDEEP

    49152:UbA30ajT26LGj1+dG6/CXhpxK/uVtmJPZVmL8eRQaiHcZphJPGXhL:UbOj9LGj12qXRKMt0PMWDcZphIhL

Score
10/10

Malware Config

Targets

    • Target

      DCRatBuild.exe

    • Size

      2.2MB

    • MD5

      6eb433b80c109ad5d2342a461cf344cf

    • SHA1

      1db227016fce2475e2c6e957330afc6e64e2064e

    • SHA256

      d4a578ec1a8a2ea4ad971310ecebb996529d90a7ebe264be20fb57d5a25371e2

    • SHA512

      1585da261489db71390d4af718b1c92b713f2df6ed234e385aba264be5213c0c9987890b9a80e5e1f903eb2f24a7bd105390e1303ca06c8083f21e64f8e8d3a4

    • SSDEEP

      49152:UbA30ajT26LGj1+dG6/CXhpxK/uVtmJPZVmL8eRQaiHcZphJPGXhL:UbOj9LGj12qXRKMt0PMWDcZphIhL

    Score
    10/10
    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks