General

  • Target

    Riga Client.exe

  • Size

    2.0MB

  • Sample

    240717-ng89va1fqd

  • MD5

    40ac7d11ebb91612d8d5c16c05af0a13

  • SHA1

    543a6c16f8f058fb6ba029ee3a9c5fde92aaa212

  • SHA256

    4963827ab4881382f900255fa034f5c5f369cdc11d30863c69a04ed7f6abca5e

  • SHA512

    223ecc008fe3b9818597c3870ef605674eb96c52f8f140edb1d7c878691ce16c604440be77107c795a2bbb4e1b5c28ba94141e5703d9488c3a06580e38bf953c

  • SSDEEP

    49152:PbA3HdwWe2aSe6pcUwxE0G+dK7RB7/wWnm1Xl:Pbt2M4cUwxEII7RB0d1Xl

Malware Config

Targets

    • Target

      Riga Client.exe

    • Size

      2.0MB

    • MD5

      40ac7d11ebb91612d8d5c16c05af0a13

    • SHA1

      543a6c16f8f058fb6ba029ee3a9c5fde92aaa212

    • SHA256

      4963827ab4881382f900255fa034f5c5f369cdc11d30863c69a04ed7f6abca5e

    • SHA512

      223ecc008fe3b9818597c3870ef605674eb96c52f8f140edb1d7c878691ce16c604440be77107c795a2bbb4e1b5c28ba94141e5703d9488c3a06580e38bf953c

    • SSDEEP

      49152:PbA3HdwWe2aSe6pcUwxE0G+dK7RB7/wWnm1Xl:Pbt2M4cUwxEII7RB0d1Xl

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks