General
-
Target
410c644c78cde640702f1cdbab97efc59420da7b6705f98c3af00e1af3912e3a.exe
-
Size
828KB
-
Sample
240420-blgzyace28
-
MD5
38cae3e5ad321877f760a30170e1dbd8
-
SHA1
7ca4a891c40ce36a4533aabe32b4a7c70180f6f8
-
SHA256
410c644c78cde640702f1cdbab97efc59420da7b6705f98c3af00e1af3912e3a
-
SHA512
4c2299d27f435f3457c5047b8021b930a4a4d2b8be3dea5d23508499f497d2042b53b67cb071def371f5d6335b372078c362de27533865a09183c3e1fdd9c745
-
SSDEEP
12288:wzXIzsFQQP9ztnsyyjDO0l4yOaPFXs718A4FuG0tlW+Sro3TVuQ3:wNFQQP3sXDOuHOCFXs71KASroo2
Behavioral task
behavioral1
Sample
410c644c78cde640702f1cdbab97efc59420da7b6705f98c3af00e1af3912e3a.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
410c644c78cde640702f1cdbab97efc59420da7b6705f98c3af00e1af3912e3a.exe
Resource
win10v2004-20240412-en
Malware Config
Targets
-
-
Target
410c644c78cde640702f1cdbab97efc59420da7b6705f98c3af00e1af3912e3a.exe
-
Size
828KB
-
MD5
38cae3e5ad321877f760a30170e1dbd8
-
SHA1
7ca4a891c40ce36a4533aabe32b4a7c70180f6f8
-
SHA256
410c644c78cde640702f1cdbab97efc59420da7b6705f98c3af00e1af3912e3a
-
SHA512
4c2299d27f435f3457c5047b8021b930a4a4d2b8be3dea5d23508499f497d2042b53b67cb071def371f5d6335b372078c362de27533865a09183c3e1fdd9c745
-
SSDEEP
12288:wzXIzsFQQP9ztnsyyjDO0l4yOaPFXs718A4FuG0tlW+Sro3TVuQ3:wNFQQP3sXDOuHOCFXs71KASroo2
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1