General

  • Target

    DCRatBuild.exe

  • Size

    3.7MB

  • Sample

    240622-ysgzvawgpn

  • MD5

    22cc90f49c151e2b37d98947d4fc7390

  • SHA1

    2838b3e4d3d67bd9af50535130c017f3f0e03e61

  • SHA256

    1177a24b2539e173f4f9d25c0f3e43a22d23ec64b562a86b4b7ef65741734067

  • SHA512

    12eae0f34661ed05742cd183dc4225949004a60d59487d9771b6789482a71821560b3ffd1c81cdb4d5cd2e289f3843b91bfdb65379810b4200c03778c9e44b22

  • SSDEEP

    98304:Ubtsvkrdch4OslTJ64XIQB3MjkbFw6kzGYn:UJs8rCrsp44XIq3qztn

Malware Config

Targets

    • Target

      DCRatBuild.exe

    • Size

      3.7MB

    • MD5

      22cc90f49c151e2b37d98947d4fc7390

    • SHA1

      2838b3e4d3d67bd9af50535130c017f3f0e03e61

    • SHA256

      1177a24b2539e173f4f9d25c0f3e43a22d23ec64b562a86b4b7ef65741734067

    • SHA512

      12eae0f34661ed05742cd183dc4225949004a60d59487d9771b6789482a71821560b3ffd1c81cdb4d5cd2e289f3843b91bfdb65379810b4200c03778c9e44b22

    • SSDEEP

      98304:Ubtsvkrdch4OslTJ64XIQB3MjkbFw6kzGYn:UJs8rCrsp44XIq3qztn

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Disables Task Manager via registry modification

    • Downloads MZ/PE file

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks