General
-
Target
Desktop.exe
-
Size
2.8MB
-
Sample
240619-t2s19atdjb
-
MD5
0eab9acd08b61cdf615cb068a37721ec
-
SHA1
abb40ff6143036f6fecf58c1ddcbb0db932d5c56
-
SHA256
eb02a5967a610b6c1f6c4070426bfae82286404b0c12120c4538f6616046ac82
-
SHA512
9747726e1e384b82743cfe3e55d3da8b60451b7118b6f1b0e7403920e149e1836833f76367d591a5d31091366655b962919b16d03a9a8f4e65641ea320a96cef
-
SSDEEP
49152:lOtT5e0aSL6Z1zfbCW2aomgmFSD4HjLgfDFCfX9nViw3DNSV5F+5Q:lOtTU/SL41zfNgmFS8HjasftcwBg4Q
Static task
static1
Behavioral task
behavioral1
Sample
Desktop.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Desktop.exe
Resource
win10v2004-20240611-en
Malware Config
Targets
-
-
Target
Desktop.exe
-
Size
2.8MB
-
MD5
0eab9acd08b61cdf615cb068a37721ec
-
SHA1
abb40ff6143036f6fecf58c1ddcbb0db932d5c56
-
SHA256
eb02a5967a610b6c1f6c4070426bfae82286404b0c12120c4538f6616046ac82
-
SHA512
9747726e1e384b82743cfe3e55d3da8b60451b7118b6f1b0e7403920e149e1836833f76367d591a5d31091366655b962919b16d03a9a8f4e65641ea320a96cef
-
SSDEEP
49152:lOtT5e0aSL6Z1zfbCW2aomgmFSD4HjLgfDFCfX9nViw3DNSV5F+5Q:lOtTU/SL41zfNgmFS8HjasftcwBg4Q
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1