General
-
Target
0924b9eca922c9227c4f426be5174bae.exe
-
Size
4.8MB
-
Sample
231207-bc75rsgdcq
-
MD5
0924b9eca922c9227c4f426be5174bae
-
SHA1
8d2abdecd0fc744ee836d75ad5c3b52585d8041f
-
SHA256
e2955eb9de3b2d1d49eef7d0ff565d033429f0cb628439ef17571426758f58d8
-
SHA512
47a234ac042b01fdd3d9eaf33f80d932386c841ad64cb8453e9c2e56a71d869eac632e0a8b5af029a9187e8367147ec1afcc337bc9249f253ddff6a743ba9de2
-
SSDEEP
49152:wZ52zVeXI03Z6wg8NEoyC6Up4R8DrzSGRWGq1m2G2j4mddTpbuYs2P1C0q8dA9BA:YghQjZ6wt2W6eW8WAh2DQyC0q8G9wyQ/
Behavioral task
behavioral1
Sample
0924b9eca922c9227c4f426be5174bae.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
0924b9eca922c9227c4f426be5174bae.exe
Resource
win10v2004-20231127-en
Malware Config
Targets
-
-
Target
0924b9eca922c9227c4f426be5174bae.exe
-
Size
4.8MB
-
MD5
0924b9eca922c9227c4f426be5174bae
-
SHA1
8d2abdecd0fc744ee836d75ad5c3b52585d8041f
-
SHA256
e2955eb9de3b2d1d49eef7d0ff565d033429f0cb628439ef17571426758f58d8
-
SHA512
47a234ac042b01fdd3d9eaf33f80d932386c841ad64cb8453e9c2e56a71d869eac632e0a8b5af029a9187e8367147ec1afcc337bc9249f253ddff6a743ba9de2
-
SSDEEP
49152:wZ52zVeXI03Z6wg8NEoyC6Up4R8DrzSGRWGq1m2G2j4mddTpbuYs2P1C0q8dA9BA:YghQjZ6wt2W6eW8WAh2DQyC0q8G9wyQ/
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Disables Task Manager via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1