General
-
Target
9c8937d1ffc2a8ce23cbaddaa9e8b046d1460fc684d05b609fec3514ab14c39c.exe
-
Size
3.0MB
-
Sample
240723-dhxbkavank
-
MD5
3def0ae25d7785e4155d73639281c783
-
SHA1
83e0bd5e952c0d8501f0bae856ad057d2d66f933
-
SHA256
9c8937d1ffc2a8ce23cbaddaa9e8b046d1460fc684d05b609fec3514ab14c39c
-
SHA512
beac32faa42d72af9eb64977c2ed8aa30ec0d78a3319a758378a6c407a951919a9539b22b2595f91953b25109bd185e33798c09590c9fbbfee7618771ad1edf4
-
SSDEEP
49152:Mj0QvSoTm+SLllhsAKVSPwAk6roAIJiUhykd8zKflQ5TpweOBw7bMoc52Sf0:MpacpSLllnKsPfxro1hh9ApQ+br0nf0
Malware Config
Targets
-
-
Target
9c8937d1ffc2a8ce23cbaddaa9e8b046d1460fc684d05b609fec3514ab14c39c.exe
-
Size
3.0MB
-
MD5
3def0ae25d7785e4155d73639281c783
-
SHA1
83e0bd5e952c0d8501f0bae856ad057d2d66f933
-
SHA256
9c8937d1ffc2a8ce23cbaddaa9e8b046d1460fc684d05b609fec3514ab14c39c
-
SHA512
beac32faa42d72af9eb64977c2ed8aa30ec0d78a3319a758378a6c407a951919a9539b22b2595f91953b25109bd185e33798c09590c9fbbfee7618771ad1edf4
-
SSDEEP
49152:Mj0QvSoTm+SLllhsAKVSPwAk6roAIJiUhykd8zKflQ5TpweOBw7bMoc52Sf0:MpacpSLllnKsPfxro1hh9ApQ+br0nf0
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks whether UAC is enabled
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1