General
-
Target
cdb363f810ebeea6e40abc725c14e9bf78a3014559ec3.exe
-
Size
3.3MB
-
Sample
240717-de1vkssgqp
-
MD5
af4cd8f5b99d7e371a6ddd880aec1079
-
SHA1
caba9083a0128266b477330c2e5d8874646a915d
-
SHA256
cdb363f810ebeea6e40abc725c14e9bf78a3014559ec32903c15fd7576fcac20
-
SHA512
c0fbb42b516c4a83a3dbeab47199fb603330929788008a314c222ec1585845a40538cd2f2b18ace200436beeed2b7428fe23fd9e19bb2f5a3f48939ab93432ff
-
SSDEEP
98304:PbD91o0GWLMJo5sZB8MDJ2RZeeD+Gvl/ndA:PXbnGWLMTZyjnCg/i
Behavioral task
behavioral1
Sample
cdb363f810ebeea6e40abc725c14e9bf78a3014559ec3.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
cdb363f810ebeea6e40abc725c14e9bf78a3014559ec3.exe
Resource
win10v2004-20240709-en
Malware Config
Targets
-
-
Target
cdb363f810ebeea6e40abc725c14e9bf78a3014559ec3.exe
-
Size
3.3MB
-
MD5
af4cd8f5b99d7e371a6ddd880aec1079
-
SHA1
caba9083a0128266b477330c2e5d8874646a915d
-
SHA256
cdb363f810ebeea6e40abc725c14e9bf78a3014559ec32903c15fd7576fcac20
-
SHA512
c0fbb42b516c4a83a3dbeab47199fb603330929788008a314c222ec1585845a40538cd2f2b18ace200436beeed2b7428fe23fd9e19bb2f5a3f48939ab93432ff
-
SSDEEP
98304:PbD91o0GWLMJo5sZB8MDJ2RZeeD+Gvl/ndA:PXbnGWLMTZyjnCg/i
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1