General
-
Target
fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe
-
Size
827KB
-
Sample
240721-me1dgszgrm
-
MD5
ac9e1c7decb45fa41c77e30543bc535e
-
SHA1
b89c25859b9b195d8768868be6d4b029bd395d1f
-
SHA256
fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682
-
SHA512
32ad2b8385fbb5206be47bd55f8a3af55ce6fd84c48771fec8b7fc39862fb9133aaf99de5672a548454c17fd05a03a0f3c1813df65b65fdae73ca7881393c417
-
SSDEEP
12288:aRX/Vbdw0amUjO3t/6jf0eEHP2a1KP/CpvwfpKdXRJNJa:kXVamd96jf0/2apvwxKdXRJNJa
Behavioral task
behavioral1
Sample
fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe
Resource
win10v2004-20240709-en
Malware Config
Targets
-
-
Target
fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682.exe
-
Size
827KB
-
MD5
ac9e1c7decb45fa41c77e30543bc535e
-
SHA1
b89c25859b9b195d8768868be6d4b029bd395d1f
-
SHA256
fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682
-
SHA512
32ad2b8385fbb5206be47bd55f8a3af55ce6fd84c48771fec8b7fc39862fb9133aaf99de5672a548454c17fd05a03a0f3c1813df65b65fdae73ca7881393c417
-
SSDEEP
12288:aRX/Vbdw0amUjO3t/6jf0eEHP2a1KP/CpvwfpKdXRJNJa:kXVamd96jf0/2apvwxKdXRJNJa
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1