General
-
Target
460e3932c1f76c83aeb5f294a84c5a2343d05bf40afadd3edae8c561f26f9ab3.exe
-
Size
3.2MB
-
Sample
240420-lgqrdseb41
-
MD5
a7efa1a450a8e594e78db49b8e496dfb
-
SHA1
f4f830b132f8ee15eee245581670498c9b3bf942
-
SHA256
460e3932c1f76c83aeb5f294a84c5a2343d05bf40afadd3edae8c561f26f9ab3
-
SHA512
4aa1220b16c1fa32ede5ab7fd7ab0174d0cfb8f556e3798255d9f2a6e284fc3eb5860084297c26b06f94bbe2c62f8d6853c4b39ac7fae407496417b6a4c66b21
-
SSDEEP
49152:Xdh7FqRrDLaRmdx3GfjfWnS3zu/zocfRKoLNdCQDGLZlEb9GxL8T:xEGRmP3w6nazu/zdfR3dCQDUZnxgT
Malware Config
Targets
-
-
Target
460e3932c1f76c83aeb5f294a84c5a2343d05bf40afadd3edae8c561f26f9ab3.exe
-
Size
3.2MB
-
MD5
a7efa1a450a8e594e78db49b8e496dfb
-
SHA1
f4f830b132f8ee15eee245581670498c9b3bf942
-
SHA256
460e3932c1f76c83aeb5f294a84c5a2343d05bf40afadd3edae8c561f26f9ab3
-
SHA512
4aa1220b16c1fa32ede5ab7fd7ab0174d0cfb8f556e3798255d9f2a6e284fc3eb5860084297c26b06f94bbe2c62f8d6853c4b39ac7fae407496417b6a4c66b21
-
SSDEEP
49152:Xdh7FqRrDLaRmdx3GfjfWnS3zu/zocfRKoLNdCQDGLZlEb9GxL8T:xEGRmP3w6nazu/zdfR3dCQDUZnxgT
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-