General
-
Target
DCRatBuild.exe
-
Size
3.1MB
-
Sample
240723-reh7estfjn
-
MD5
483924e53029436ee078d5fee780b52b
-
SHA1
bd3fa8e583bb7fc5e866111c50813889684dbc8d
-
SHA256
570c8cc8c85202669b00256df1d2330b366232c63ad018cc198a25201896dacf
-
SHA512
5cb7693d300631f7da3779f0519adc480793be6ebd40bd12b97609b8663ec25cd5f3d5213c0f0c5ed48fe9644736e4c9a5d09f8c8fba744c16a0e91ac63996ae
-
SSDEEP
98304:ubLCV6IvIiiCITXeTrGaXNah5x3FsC1UFA5XQK:u/s1mXemaXUj3FtyE9
Behavioral task
behavioral1
Sample
DCRatBuild.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
DCRatBuild.exe
Resource
win10v2004-20240709-en
Malware Config
Targets
-
-
Target
DCRatBuild.exe
-
Size
3.1MB
-
MD5
483924e53029436ee078d5fee780b52b
-
SHA1
bd3fa8e583bb7fc5e866111c50813889684dbc8d
-
SHA256
570c8cc8c85202669b00256df1d2330b366232c63ad018cc198a25201896dacf
-
SHA512
5cb7693d300631f7da3779f0519adc480793be6ebd40bd12b97609b8663ec25cd5f3d5213c0f0c5ed48fe9644736e4c9a5d09f8c8fba744c16a0e91ac63996ae
-
SSDEEP
98304:ubLCV6IvIiiCITXeTrGaXNah5x3FsC1UFA5XQK:u/s1mXemaXUj3FtyE9
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1