General
-
Target
05fc0bdf63407c4bf2aa13262366cec5.exe
-
Size
624KB
-
Sample
240722-g9l7fstapm
-
MD5
05fc0bdf63407c4bf2aa13262366cec5
-
SHA1
3c25001232633ced8c5dbd159793f5db7b9bd3c8
-
SHA256
7c00050f9a74c897dc0b917b07898b14150329571584ed3d7928d7c59b974c2b
-
SHA512
9513fb1767b3f7c480c86e9958df83e30f19f0b487f7e37b844266a968dfe9b4275e4fe3c11118a5ccace381d69e928dab61a32b113095b3a2f3f83bc6a821e4
-
SSDEEP
12288:aRZ+IoG/n9IQxW3OBsee2X+t4Rb/32N7QqcLCf8VIP9A2oxldxDZt:U2G/nvxW3Ww0t/32NCkC2o5xD7
Behavioral task
behavioral1
Sample
05fc0bdf63407c4bf2aa13262366cec5.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
05fc0bdf63407c4bf2aa13262366cec5.exe
Resource
win10v2004-20240709-en
Malware Config
Targets
-
-
Target
05fc0bdf63407c4bf2aa13262366cec5.exe
-
Size
624KB
-
MD5
05fc0bdf63407c4bf2aa13262366cec5
-
SHA1
3c25001232633ced8c5dbd159793f5db7b9bd3c8
-
SHA256
7c00050f9a74c897dc0b917b07898b14150329571584ed3d7928d7c59b974c2b
-
SHA512
9513fb1767b3f7c480c86e9958df83e30f19f0b487f7e37b844266a968dfe9b4275e4fe3c11118a5ccace381d69e928dab61a32b113095b3a2f3f83bc6a821e4
-
SSDEEP
12288:aRZ+IoG/n9IQxW3OBsee2X+t4Rb/32N7QqcLCf8VIP9A2oxldxDZt:U2G/nvxW3Ww0t/32NCkC2o5xD7
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1