General
-
Target
030582b15428c7552c10059da82808fd0115b9fa5b48362b61d457ed8b9fb012
-
Size
240KB
-
Sample
240417-pm9y1aeg89
-
MD5
f209806598b6e028931897b121cea5fc
-
SHA1
d4c825e7d05170dfc62ebc3d5fbe473fd5078378
-
SHA256
030582b15428c7552c10059da82808fd0115b9fa5b48362b61d457ed8b9fb012
-
SHA512
fb8a62a104a675f36d44214b409130d7863bf07a1df48fbf5f6ad016d5137701797134a4d7596b28bc6efa53c4b22938b49426e00bccfbdcf0ecae7025395aba
-
SSDEEP
6144:mJEej9ULGX4/7clczVDqpRoSWbcZt2+uHZRTAa:mLB+TzclczVDxnJ5R0a
Malware Config
Targets
-
-
Target
c1dcf7f5ba1bfb2c010b6241e11fbd045135faf65bab7c785d4e8c910e9d3fa6.exe
-
Size
539KB
-
MD5
3bc67fceb93f6924bcda3896a6b8365a
-
SHA1
56d0e8e963ee2bf556551fff0f9196439c2351b5
-
SHA256
c1dcf7f5ba1bfb2c010b6241e11fbd045135faf65bab7c785d4e8c910e9d3fa6
-
SHA512
f056c800785956e877629feafff9d09606247fb481fc2d68d8cf4594192d68af388a1b0563521706d1f6bd58cec9d643903e579f8fa6323625d57e3865271374
-
SSDEEP
12288:uWtxw20+rZdGDSnn3/Km1wXWaeLXQKvGGl:3tVTGGnPp47YeGl
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1