General

  • Target

    DCRatBuild.exe

  • Size

    1.1MB

  • Sample

    240716-2g6evatbnl

  • MD5

    e9bc068017ce93f26711bc6cee5baaf5

  • SHA1

    397be9a2d6a68e4c49beaa694e12c338253216df

  • SHA256

    066802e184c05d76cc3657b71f4e8572f694d59bb2a7baa8fed3a6605476a709

  • SHA512

    e93f62eb34d3a3010d1b5ff250de512c81134e58ca0f9a9eb91acecd73c7abc0c5396c93640390608af9d06b196148949be32c63417acea51ece1595b909a14c

  • SSDEEP

    24576:U2G/nvxW3Ww0tWq4f28wBUVIL8FGstUPtekz2N:UbA30WDf6QEa

Score
10/10

Malware Config

Targets

    • Target

      DCRatBuild.exe

    • Size

      1.1MB

    • MD5

      e9bc068017ce93f26711bc6cee5baaf5

    • SHA1

      397be9a2d6a68e4c49beaa694e12c338253216df

    • SHA256

      066802e184c05d76cc3657b71f4e8572f694d59bb2a7baa8fed3a6605476a709

    • SHA512

      e93f62eb34d3a3010d1b5ff250de512c81134e58ca0f9a9eb91acecd73c7abc0c5396c93640390608af9d06b196148949be32c63417acea51ece1595b909a14c

    • SSDEEP

      24576:U2G/nvxW3Ww0tWq4f28wBUVIL8FGstUPtekz2N:UbA30WDf6QEa

    Score
    10/10
    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks