Overview

overview

10

Static

static

10

4ddd13c4a3...AS.exe

windows7-x64

10

4ddd13c4a3...AS.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4ddd13c4a3ffff1a0e3ef194e52f65a0_NEAS

  • Size

    2.0MB

  • Sample

    240507-clys5adf9y

  • MD5

    4ddd13c4a3ffff1a0e3ef194e52f65a0

  • SHA1

    f19f68c1ee2313667722f18944fc1d3885b2199c

  • SHA256

    2db6b0154ea9e9ebd4c13868562e7147e8a2fcaaa5dadd497410745a377b0e44

  • SHA512

    5e274b01576b54490dc1af367e6b016396238cd9fee2c3d4ff52419a72e4d7613a5d46340bc6337f955fe850bcd8c564d3d8ad5a21e7b2d95bdf00d4c6949bf3

  • SSDEEP

    24576:Un2XTCHM4xT9V3XzsHhVmatCELYIXVelAtgbHHd:CaTUv0jmtEttc

Score
10/10
dcratinfostealerpersistencerat

Malware Config

Targets

    • Target

      4ddd13c4a3ffff1a0e3ef194e52f65a0_NEAS

    • Size

      2.0MB

    • MD5

      4ddd13c4a3ffff1a0e3ef194e52f65a0

    • SHA1

      f19f68c1ee2313667722f18944fc1d3885b2199c

    • SHA256

      2db6b0154ea9e9ebd4c13868562e7147e8a2fcaaa5dadd497410745a377b0e44

    • SHA512

      5e274b01576b54490dc1af367e6b016396238cd9fee2c3d4ff52419a72e4d7613a5d46340bc6337f955fe850bcd8c564d3d8ad5a21e7b2d95bdf00d4c6949bf3

    • SSDEEP

      24576:Un2XTCHM4xT9V3XzsHhVmatCELYIXVelAtgbHHd:CaTUv0jmtEttc

    Score
    10/10
    dcratinfostealerpersistencerat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks