General
-
Target
LOLL.bat
-
Size
1.1MB
-
Sample
240615-zrh17axgpl
-
MD5
0130dafefe6cde44832da8b64f04f27f
-
SHA1
7eed11400e6aa295bdc3858f801d2cbafcc41662
-
SHA256
99c364d0553d83eea564880a3399405ef7788b615bed2c412ba1a48e076f270e
-
SHA512
ab0c7df053e2a5163cd7c89067a067aa54c20497eb27b5094426c0fcb3aaaf0df415452a057ca5d1ab38d98b75f5c0bbf24f50c84b5fc910cee34cbb6b61225c
-
SSDEEP
24576:U2G/nvxW3Ww0tWT9OlvcqOWv3vW/cDu+xdlDl:UbA30cAl0WvfjHR5
Malware Config
Targets
-
-
Target
LOLL.bat
-
Size
1.1MB
-
MD5
0130dafefe6cde44832da8b64f04f27f
-
SHA1
7eed11400e6aa295bdc3858f801d2cbafcc41662
-
SHA256
99c364d0553d83eea564880a3399405ef7788b615bed2c412ba1a48e076f270e
-
SHA512
ab0c7df053e2a5163cd7c89067a067aa54c20497eb27b5094426c0fcb3aaaf0df415452a057ca5d1ab38d98b75f5c0bbf24f50c84b5fc910cee34cbb6b61225c
-
SSDEEP
24576:U2G/nvxW3Ww0tWT9OlvcqOWv3vW/cDu+xdlDl:UbA30cAl0WvfjHR5
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-