General
-
Target
20ec8d347f674ebadc53399ef6aa49cb.exe
-
Size
3.4MB
-
Sample
231207-anb12ahha5
-
MD5
20ec8d347f674ebadc53399ef6aa49cb
-
SHA1
f418d228eb276f216b4986b55b2c762d11991a31
-
SHA256
9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
-
SHA512
e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
SSDEEP
49152:RoyC6Up4R8DrzSGRWGq1m2G2j4mddTpbuYs2P1C0q8dA9Bl0fijOu4:RW6eW8WAh2DQyC0q8G9wyQ
Behavioral task
behavioral1
Sample
20ec8d347f674ebadc53399ef6aa49cb.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
20ec8d347f674ebadc53399ef6aa49cb.exe
Resource
win10v2004-20231130-en
Malware Config
Targets
-
-
Target
20ec8d347f674ebadc53399ef6aa49cb.exe
-
Size
3.4MB
-
MD5
20ec8d347f674ebadc53399ef6aa49cb
-
SHA1
f418d228eb276f216b4986b55b2c762d11991a31
-
SHA256
9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
-
SHA512
e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
SSDEEP
49152:RoyC6Up4R8DrzSGRWGq1m2G2j4mddTpbuYs2P1C0q8dA9Bl0fijOu4:RW6eW8WAh2DQyC0q8G9wyQ
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1