General
-
Target
24EDBB670151083A35200EAE5E927259.exe
-
Size
2.0MB
-
Sample
240225-mm8ptshf95
-
MD5
24edbb670151083a35200eae5e927259
-
SHA1
c69efb169379d77388c94969fdcb3f50f768cfcc
-
SHA256
9084394a955e7b25bca70b2298e1e3359c5aab5189628b647eba18706ffd67c3
-
SHA512
dffdea54ed58823858cc30259b64536cd96c6ab28d8eb4570d9501d187b82ac48f1ee7ac8058555df725165ae660f279ec259b2dafa5b3056e98ed84b003b0a2
-
SSDEEP
49152:FqHEuTrhUqQcvwHnX9B0gQ1TgqAsoqbBmXob3:QHrUqQcvQnX9B0gQ1TgqAsRVmXob3
Malware Config
Targets
-
-
Target
24EDBB670151083A35200EAE5E927259.exe
-
Size
2.0MB
-
MD5
24edbb670151083a35200eae5e927259
-
SHA1
c69efb169379d77388c94969fdcb3f50f768cfcc
-
SHA256
9084394a955e7b25bca70b2298e1e3359c5aab5189628b647eba18706ffd67c3
-
SHA512
dffdea54ed58823858cc30259b64536cd96c6ab28d8eb4570d9501d187b82ac48f1ee7ac8058555df725165ae660f279ec259b2dafa5b3056e98ed84b003b0a2
-
SSDEEP
49152:FqHEuTrhUqQcvwHnX9B0gQ1TgqAsoqbBmXob3:QHrUqQcvQnX9B0gQ1TgqAsRVmXob3
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1