General

  • Target

    DCRatBuild.exe

  • Size

    1.1MB

  • Sample

    240618-pehjsasgqa

  • MD5

    6eea75007b57d1c9789b3cb3c8cbe084

  • SHA1

    ea5c60cd86621ea57ed0abafce8606d5f98dbb75

  • SHA256

    048b7a93d0105e3415f91494594ee39b11146b5a9948555f928a9e5153387dd6

  • SHA512

    29edb6be0eba4645daa2b09323312792aa3e60c5100f0bfbe45d28214b394a374c8a43b8925353cc1e9c4d5e9e38aab1495b9447ff4a5336f3b9322871e693e8

  • SSDEEP

    24576:U2G/nvxW3Ww0tu/CBCj8HCXrS6mzYhDJD00Da:UbA30u/CdHSTpJI

Score
10/10

Malware Config

Targets

    • Target

      DCRatBuild.exe

    • Size

      1.1MB

    • MD5

      6eea75007b57d1c9789b3cb3c8cbe084

    • SHA1

      ea5c60cd86621ea57ed0abafce8606d5f98dbb75

    • SHA256

      048b7a93d0105e3415f91494594ee39b11146b5a9948555f928a9e5153387dd6

    • SHA512

      29edb6be0eba4645daa2b09323312792aa3e60c5100f0bfbe45d28214b394a374c8a43b8925353cc1e9c4d5e9e38aab1495b9447ff4a5336f3b9322871e693e8

    • SSDEEP

      24576:U2G/nvxW3Ww0tu/CBCj8HCXrS6mzYhDJD00Da:UbA30u/CdHSTpJI

    Score
    10/10
    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks