General

  • Target

    DCrat.exe

  • Size

    3.7MB

  • Sample

    240719-nh4qrasald

  • MD5

    22cc90f49c151e2b37d98947d4fc7390

  • SHA1

    2838b3e4d3d67bd9af50535130c017f3f0e03e61

  • SHA256

    1177a24b2539e173f4f9d25c0f3e43a22d23ec64b562a86b4b7ef65741734067

  • SHA512

    12eae0f34661ed05742cd183dc4225949004a60d59487d9771b6789482a71821560b3ffd1c81cdb4d5cd2e289f3843b91bfdb65379810b4200c03778c9e44b22

  • SSDEEP

    98304:Ubtsvkrdch4OslTJ64XIQB3MjkbFw6kzGYn:UJs8rCrsp44XIq3qztn

Malware Config

Targets

    • Target

      DCrat.exe

    • Size

      3.7MB

    • MD5

      22cc90f49c151e2b37d98947d4fc7390

    • SHA1

      2838b3e4d3d67bd9af50535130c017f3f0e03e61

    • SHA256

      1177a24b2539e173f4f9d25c0f3e43a22d23ec64b562a86b4b7ef65741734067

    • SHA512

      12eae0f34661ed05742cd183dc4225949004a60d59487d9771b6789482a71821560b3ffd1c81cdb4d5cd2e289f3843b91bfdb65379810b4200c03778c9e44b22

    • SSDEEP

      98304:Ubtsvkrdch4OslTJ64XIQB3MjkbFw6kzGYn:UJs8rCrsp44XIq3qztn

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks