General

  • Target

    DCRatBuild.exe

  • Size

    1.5MB

  • Sample

    240618-rmgnkaxcnf

  • MD5

    0a9a89cf2dc3517c149c25dd3283fc80

  • SHA1

    322587f3d9a2c8142d6002d989fd31f3c20ba84a

  • SHA256

    f413c35eca818b528e5a0e5aa6c8fdd46f9e1e40d379feb3a70b58310c6c514a

  • SHA512

    5ec90cc61a43bb7029150dcaa741bab7914512036e4e21928aebf02309d211401796a9b7be36cd2bb7f0ebdb8a36013137c4fb06d7301f0c56ecd18feb69bdf4

  • SSDEEP

    24576:U2G/nvxW3Ww0tO7X8aPEgLHD7rGqXj0O7LFxd5ieEn3U4cLwDI:UbA30O7sadbGSQONHzE74w8

Score
10/10

Malware Config

Targets

    • Target

      DCRatBuild.exe

    • Size

      1.5MB

    • MD5

      0a9a89cf2dc3517c149c25dd3283fc80

    • SHA1

      322587f3d9a2c8142d6002d989fd31f3c20ba84a

    • SHA256

      f413c35eca818b528e5a0e5aa6c8fdd46f9e1e40d379feb3a70b58310c6c514a

    • SHA512

      5ec90cc61a43bb7029150dcaa741bab7914512036e4e21928aebf02309d211401796a9b7be36cd2bb7f0ebdb8a36013137c4fb06d7301f0c56ecd18feb69bdf4

    • SSDEEP

      24576:U2G/nvxW3Ww0tO7X8aPEgLHD7rGqXj0O7LFxd5ieEn3U4cLwDI:UbA30O7sadbGSQONHzE74w8

    Score
    10/10
    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks