General
-
Target
55E1910554C49614E6012367C09E13AB.exe
-
Size
3.3MB
-
Sample
240323-ehcgtsdb49
-
MD5
55e1910554c49614e6012367c09e13ab
-
SHA1
eb7bf3329b438593c6a1a16e0b7bec39095ac149
-
SHA256
b97e2d55213c845bb9055906a5357723d523397c6d5b6d48a0115c9bd00f67de
-
SHA512
ee01c2399f39b675ca3f41817c6f337f94dbec1fce97ae25f134b00296be3c71a17073b56142485d991f7c5349db41eec5f6e925aab3982adef0455a5f7202c2
-
SSDEEP
49152:o8xhCcpCNPulYCFckZHvEdM1jegx7oOCM1Gn72tESduILWMJd33eRkX2EuFgtDGg:NhrChV+cU/NeBPMY72tRR0EuUG
Static task
static1
Behavioral task
behavioral1
Sample
55E1910554C49614E6012367C09E13AB.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
55E1910554C49614E6012367C09E13AB.exe
Resource
win10v2004-20240226-en
Malware Config
Targets
-
-
Target
55E1910554C49614E6012367C09E13AB.exe
-
Size
3.3MB
-
MD5
55e1910554c49614e6012367c09e13ab
-
SHA1
eb7bf3329b438593c6a1a16e0b7bec39095ac149
-
SHA256
b97e2d55213c845bb9055906a5357723d523397c6d5b6d48a0115c9bd00f67de
-
SHA512
ee01c2399f39b675ca3f41817c6f337f94dbec1fce97ae25f134b00296be3c71a17073b56142485d991f7c5349db41eec5f6e925aab3982adef0455a5f7202c2
-
SSDEEP
49152:o8xhCcpCNPulYCFckZHvEdM1jegx7oOCM1Gn72tESduILWMJd33eRkX2EuFgtDGg:NhrChV+cU/NeBPMY72tRR0EuUG
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1