General

  • Target

    DCRatBuild.exe

  • Size

    3.0MB

  • Sample

    240724-r8gkpa1fnk

  • MD5

    9056618a634ae845b6a795a72f18acf4

  • SHA1

    aca91e2d77b62bffd6d9d2031181edb5d010288b

  • SHA256

    9b9a97772a741c60cbca3714a65d59c4b1e768ab1e4f434511d9c05540a579fd

  • SHA512

    863ba6e461ab706ea882316d7f36a17ae62dd5f7eb150dcb1e3b426e7479b385525c3979dc33e60e3d9ed2c4d2799d1f8a85f04892524befa3aec4c380fd0f92

  • SSDEEP

    49152:UbA30gFb062ieTHD5br1BMPhfekJS+8N/bkLmKK+GOF1hvBP2VzhPJF:UbXX1bZ2PMLLjB+G4hvp21Fz

Malware Config

Targets

    • Target

      DCRatBuild.exe

    • Size

      3.0MB

    • MD5

      9056618a634ae845b6a795a72f18acf4

    • SHA1

      aca91e2d77b62bffd6d9d2031181edb5d010288b

    • SHA256

      9b9a97772a741c60cbca3714a65d59c4b1e768ab1e4f434511d9c05540a579fd

    • SHA512

      863ba6e461ab706ea882316d7f36a17ae62dd5f7eb150dcb1e3b426e7479b385525c3979dc33e60e3d9ed2c4d2799d1f8a85f04892524befa3aec4c380fd0f92

    • SSDEEP

      49152:UbA30gFb062ieTHD5br1BMPhfekJS+8N/bkLmKK+GOF1hvBP2VzhPJF:UbXX1bZ2PMLLjB+G4hvp21Fz

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks