General
-
Target
5266940f1d58cb7f3d98c63414712311.exe
-
Size
3.3MB
-
Sample
240627-xn7t2avhlh
-
MD5
5266940f1d58cb7f3d98c63414712311
-
SHA1
0fb7dd6ebd24a5224d27b982b419936cda54acfa
-
SHA256
533c1f6d82962094e076116e5eaf643dd440eff83861ccf26334bc553fb6d129
-
SHA512
2fff58458c6d066eeb1bf4ab4ffcd001c313871f431af59580f607041be6c85262532ade4f0a835df879411f1905ce60ca3facd708e3aef89189cfbd81850a25
-
SSDEEP
49152:PbA35t4f/APjlSPuaUxdDyixWPcjQ5ZkG+4sv3fOyybpZ+4rDgU+Zf1:PbO4AP5W3Ujrxjc5Z7hPz/3rUz1
Malware Config
Targets
-
-
Target
5266940f1d58cb7f3d98c63414712311.exe
-
Size
3.3MB
-
MD5
5266940f1d58cb7f3d98c63414712311
-
SHA1
0fb7dd6ebd24a5224d27b982b419936cda54acfa
-
SHA256
533c1f6d82962094e076116e5eaf643dd440eff83861ccf26334bc553fb6d129
-
SHA512
2fff58458c6d066eeb1bf4ab4ffcd001c313871f431af59580f607041be6c85262532ade4f0a835df879411f1905ce60ca3facd708e3aef89189cfbd81850a25
-
SSDEEP
49152:PbA35t4f/APjlSPuaUxdDyixWPcjQ5ZkG+4sv3fOyybpZ+4rDgU+Zf1:PbO4AP5W3Ujrxjc5Z7hPz/3rUz1
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Disables Task Manager via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1