General

  • Target

    DCRatBuild.exe

  • Size

    3.1MB

  • Sample

    240723-reh7estfjn

  • MD5

    483924e53029436ee078d5fee780b52b

  • SHA1

    bd3fa8e583bb7fc5e866111c50813889684dbc8d

  • SHA256

    570c8cc8c85202669b00256df1d2330b366232c63ad018cc198a25201896dacf

  • SHA512

    5cb7693d300631f7da3779f0519adc480793be6ebd40bd12b97609b8663ec25cd5f3d5213c0f0c5ed48fe9644736e4c9a5d09f8c8fba744c16a0e91ac63996ae

  • SSDEEP

    98304:ubLCV6IvIiiCITXeTrGaXNah5x3FsC1UFA5XQK:u/s1mXemaXUj3FtyE9

Malware Config

Targets

    • Target

      DCRatBuild.exe

    • Size

      3.1MB

    • MD5

      483924e53029436ee078d5fee780b52b

    • SHA1

      bd3fa8e583bb7fc5e866111c50813889684dbc8d

    • SHA256

      570c8cc8c85202669b00256df1d2330b366232c63ad018cc198a25201896dacf

    • SHA512

      5cb7693d300631f7da3779f0519adc480793be6ebd40bd12b97609b8663ec25cd5f3d5213c0f0c5ed48fe9644736e4c9a5d09f8c8fba744c16a0e91ac63996ae

    • SSDEEP

      98304:ubLCV6IvIiiCITXeTrGaXNah5x3FsC1UFA5XQK:u/s1mXemaXUj3FtyE9

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Disables Task Manager via registry modification

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks