General
-
Target
2f77b6ba0d6b4cf6cb232c0e5aa2f999.exe
-
Size
1.2MB
-
Sample
240629-2s3hbsycqd
-
MD5
2f77b6ba0d6b4cf6cb232c0e5aa2f999
-
SHA1
4bb0d8a5c6e42374d1a58b8b025bbf99cda42b77
-
SHA256
d5e776aa38d141a5621e492af32685568f2c527864caa72dad17ec08172bd223
-
SHA512
d434e987bcd3f8ee09501e2c4b600b7781d228bc465e54d0d016ae086d2eef18500832ebd78e1b7d75956ffb3ad621c77bb3cca45ca0dc57b00826aa2f2e8e8a
-
SSDEEP
24576:GiRX4ONyMaJtHAWwIh1zunez5ma3Z1tzVSzWdPnG:GiRX4jMD7R/a3Z1hf
Malware Config
Targets
-
-
Target
2f77b6ba0d6b4cf6cb232c0e5aa2f999.exe
-
Size
1.2MB
-
MD5
2f77b6ba0d6b4cf6cb232c0e5aa2f999
-
SHA1
4bb0d8a5c6e42374d1a58b8b025bbf99cda42b77
-
SHA256
d5e776aa38d141a5621e492af32685568f2c527864caa72dad17ec08172bd223
-
SHA512
d434e987bcd3f8ee09501e2c4b600b7781d228bc465e54d0d016ae086d2eef18500832ebd78e1b7d75956ffb3ad621c77bb3cca45ca0dc57b00826aa2f2e8e8a
-
SSDEEP
24576:GiRX4ONyMaJtHAWwIh1zunez5ma3Z1tzVSzWdPnG:GiRX4jMD7R/a3Z1hf
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1