General
-
Target
NEAS.d0f98ae4d8b585e9e7ea3258fd72b21dece44a9dd018eff8f0b890c579fa324aexe.exe
-
Size
2.8MB
-
Sample
231204-tqhq5scf49
-
MD5
67d63647fd74c386be72f970b7de593f
-
SHA1
c23f60cbf8045860a71a1287c495ea326d9279d8
-
SHA256
d0f98ae4d8b585e9e7ea3258fd72b21dece44a9dd018eff8f0b890c579fa324a
-
SHA512
e7edec285b1b11082634e5b07295c03576502b60d2a0ec8cee50afd0a08d2c671b280295ef11c45404dddb8c1577d01164991ba2b1ee9f1df01cfbbb664725e0
-
SSDEEP
24576:kU2/NtvgQqx9REEG8JeKMRcUZ4z/4/kY8HdBOVoYGZxdKmhACS4rm79JioLobI5y:hWNtg6+Maq0AL8xHACS4rojaL
Behavioral task
behavioral1
Sample
NEAS.d0f98ae4d8b585e9e7ea3258fd72b21dece44a9dd018eff8f0b890c579fa324aexe.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
NEAS.d0f98ae4d8b585e9e7ea3258fd72b21dece44a9dd018eff8f0b890c579fa324aexe.exe
Resource
win10v2004-20231127-en
Malware Config
Targets
-
-
Target
NEAS.d0f98ae4d8b585e9e7ea3258fd72b21dece44a9dd018eff8f0b890c579fa324aexe.exe
-
Size
2.8MB
-
MD5
67d63647fd74c386be72f970b7de593f
-
SHA1
c23f60cbf8045860a71a1287c495ea326d9279d8
-
SHA256
d0f98ae4d8b585e9e7ea3258fd72b21dece44a9dd018eff8f0b890c579fa324a
-
SHA512
e7edec285b1b11082634e5b07295c03576502b60d2a0ec8cee50afd0a08d2c671b280295ef11c45404dddb8c1577d01164991ba2b1ee9f1df01cfbbb664725e0
-
SSDEEP
24576:kU2/NtvgQqx9REEG8JeKMRcUZ4z/4/kY8HdBOVoYGZxdKmhACS4rm79JioLobI5y:hWNtg6+Maq0AL8xHACS4rojaL
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1