General

  • Target

    DCRatBuild.exe

  • Size

    1.1MB

  • Sample

    240712-xj2r8awckl

  • MD5

    395c321b98a6becd6e82acb363fe7206

  • SHA1

    4e38cbeae81eab7088af83fa3d5ec1b5d360422b

  • SHA256

    3c0dc6828037ae708ba136419b01bd08439cb1130bf248f246d9608256f6fe0f

  • SHA512

    fe33b250ef401b26a7d2cc05a1b99f8fe48bd1e1d4e32d425674172d9f10c91c1cdc8ab4dd73794e2ef51aebe420a7a0a0feaea20956f724006217554374f3a0

  • SSDEEP

    24576:U2G/nvxW3Ww0tPiIU6wdG8lXxRwDIxj8CYPwt:UbA30KZdnqcx1Y2

Score
10/10

Malware Config

Targets

    • Target

      DCRatBuild.exe

    • Size

      1.1MB

    • MD5

      395c321b98a6becd6e82acb363fe7206

    • SHA1

      4e38cbeae81eab7088af83fa3d5ec1b5d360422b

    • SHA256

      3c0dc6828037ae708ba136419b01bd08439cb1130bf248f246d9608256f6fe0f

    • SHA512

      fe33b250ef401b26a7d2cc05a1b99f8fe48bd1e1d4e32d425674172d9f10c91c1cdc8ab4dd73794e2ef51aebe420a7a0a0feaea20956f724006217554374f3a0

    • SSDEEP

      24576:U2G/nvxW3Ww0tPiIU6wdG8lXxRwDIxj8CYPwt:UbA30KZdnqcx1Y2

    Score
    10/10
    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks