General

  • Target

    DCRat.exe

  • Size

    1.1MB

  • Sample

    240622-lq6tzaxalr

  • MD5

    f527457a94ed0b2c880dd74936599fee

  • SHA1

    100cc57ca436b5ccea01122785b0cd46c79965d0

  • SHA256

    f63fa2d093a9bcafe30855b24b45231303f5126159e5f40cd636ab2ca68e4581

  • SHA512

    4546f8693ea9bdfc49d9a0d34937dc1f0d06872adb0695001cec88fb5f7a42645acde1800d360970d5416f2aac99d9461bd3541fd0257e8bc5a86380d7a47285

  • SSDEEP

    24576:U2G/nvxW3Ww0tT4dfLcKrSNoZop+Phomlof5:UbA30T4dGNoZ8+5oCm

Score
10/10

Malware Config

Targets

    • Target

      DCRat.exe

    • Size

      1.1MB

    • MD5

      f527457a94ed0b2c880dd74936599fee

    • SHA1

      100cc57ca436b5ccea01122785b0cd46c79965d0

    • SHA256

      f63fa2d093a9bcafe30855b24b45231303f5126159e5f40cd636ab2ca68e4581

    • SHA512

      4546f8693ea9bdfc49d9a0d34937dc1f0d06872adb0695001cec88fb5f7a42645acde1800d360970d5416f2aac99d9461bd3541fd0257e8bc5a86380d7a47285

    • SSDEEP

      24576:U2G/nvxW3Ww0tT4dfLcKrSNoZop+Phomlof5:UbA30T4dGNoZ8+5oCm

    Score
    10/10
    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks