General
-
Target
fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056
-
Size
2.0MB
-
Sample
240424-2rt5kabb3z
-
MD5
96373b1a9080aa751b5a98fc96cfb66c
-
SHA1
17436af89fdf67d4c60416b7bccda9f6cb3cd490
-
SHA256
fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056
-
SHA512
4cacede2b67488e46c978cbd1956ed4c0b0c1657bdd3e9b9a80203bb1175fb0b2aceadd8dbedef331332d578191620435e9561b56db420b28b767ba2dfdc9f79
-
SSDEEP
24576:0n2XTCHM4xT9V3XzsHhVmatCELYIXVelAtgbHHd:iaTUv0jmtEttc
Behavioral task
behavioral1
Sample
fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Resource
win10v2004-20240226-en
Malware Config
Targets
-
-
Target
fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056
-
Size
2.0MB
-
MD5
96373b1a9080aa751b5a98fc96cfb66c
-
SHA1
17436af89fdf67d4c60416b7bccda9f6cb3cd490
-
SHA256
fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056
-
SHA512
4cacede2b67488e46c978cbd1956ed4c0b0c1657bdd3e9b9a80203bb1175fb0b2aceadd8dbedef331332d578191620435e9561b56db420b28b767ba2dfdc9f79
-
SSDEEP
24576:0n2XTCHM4xT9V3XzsHhVmatCELYIXVelAtgbHHd:iaTUv0jmtEttc
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Detects executables containing bas64 encoded gzip files
-
Detects executables packed with SmartAssembly
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1