General
-
Target
DCRatBuild.exe
-
Size
1.1MB
-
Sample
240724-sszl1asgrm
-
MD5
aa17d6c29796bf966f69f471f3a0056f
-
SHA1
c88deff63da3aefcb9aa7d9759a7774b133052b5
-
SHA256
2bdbb0fb2f4390a0333e3c484f14b93fbea565008f4bf76bbb3499db2f8a1c2e
-
SHA512
0201700061c30d2bea75e2d5ee6d8c7611bf7fc93fd7c2e5be3fd17385e6a5a08a61c93828e99d15719abc7adfdd1b44500fcbe99081a17c52c8b4c669569c4e
-
SSDEEP
24576:u2G/nvxW3WieCPL2sapNSx9AdV6p7RBnjkr+F:ubA3jjta49AiV3F
Malware Config
Targets
-
-
Target
DCRatBuild.exe
-
Size
1.1MB
-
MD5
aa17d6c29796bf966f69f471f3a0056f
-
SHA1
c88deff63da3aefcb9aa7d9759a7774b133052b5
-
SHA256
2bdbb0fb2f4390a0333e3c484f14b93fbea565008f4bf76bbb3499db2f8a1c2e
-
SHA512
0201700061c30d2bea75e2d5ee6d8c7611bf7fc93fd7c2e5be3fd17385e6a5a08a61c93828e99d15719abc7adfdd1b44500fcbe99081a17c52c8b4c669569c4e
-
SSDEEP
24576:u2G/nvxW3WieCPL2sapNSx9AdV6p7RBnjkr+F:ubA3jjta49AiV3F
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2