General

  • Target

    DCRatBuild.bat

  • Size

    3.0MB

  • Sample

    240723-2xel3awhnb

  • MD5

    a712786c7410347d56043f3568ecfb45

  • SHA1

    226d4b5b732cbd5281f8280b8cf94244888d40b8

  • SHA256

    a5780a046f63df0779843c1ccdbff0838467156afce4f60998f7f2c4ac74b1f6

  • SHA512

    1640fbb8198391f1930392bc3de4a43e26aaedfb7d1bef2a9cc827b861417d227360562a25b13670f576d5103e92d9f0af2b1d6521ae1df8ba56d6fc04dfa4c4

  • SSDEEP

    49152:UbA30tnC+TIAYOv3ZQ9sqyxvQyErT+WOimOay3kEqiLl+1LrhhSxi1PLjxWEA:UbRndTxYOP8Qp+iWtay3kl2QrLPLjxbA

Malware Config

Targets

    • Target

      DCRatBuild.bat

    • Size

      3.0MB

    • MD5

      a712786c7410347d56043f3568ecfb45

    • SHA1

      226d4b5b732cbd5281f8280b8cf94244888d40b8

    • SHA256

      a5780a046f63df0779843c1ccdbff0838467156afce4f60998f7f2c4ac74b1f6

    • SHA512

      1640fbb8198391f1930392bc3de4a43e26aaedfb7d1bef2a9cc827b861417d227360562a25b13670f576d5103e92d9f0af2b1d6521ae1df8ba56d6fc04dfa4c4

    • SSDEEP

      49152:UbA30tnC+TIAYOv3ZQ9sqyxvQyErT+WOimOay3kEqiLl+1LrhhSxi1PLjxWEA:UbRndTxYOP8Qp+iWtay3kl2QrLPLjxbA

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks