General
-
Target
LisectAVT_2403002A_442.exe
-
Size
2.2MB
-
Sample
240725-ayke6axaqj
-
MD5
519c9f6fedeb43a8d129230fed9a2108
-
SHA1
534ce363aa81cba33e01330d449c081f6b5e4f87
-
SHA256
2c9593138be6c386946e31595ccdd5550922ef3fdd843fbb5f1e83634c223a2a
-
SHA512
ac8c10418e8ed4c2338378af4c8233196a2982405c551e033e0375c5abf523a552312b7c5664d1aed246e3177ac71c0ade7ecca3204ddb2cf1406ea055445521
-
SSDEEP
49152:UbA30bEln+8YPyZc6wkQbPVqlC8m5saKHaFg3:UbUJ+lyZKjVJDWaA
Malware Config
Targets
-
-
Target
LisectAVT_2403002A_442.exe
-
Size
2.2MB
-
MD5
519c9f6fedeb43a8d129230fed9a2108
-
SHA1
534ce363aa81cba33e01330d449c081f6b5e4f87
-
SHA256
2c9593138be6c386946e31595ccdd5550922ef3fdd843fbb5f1e83634c223a2a
-
SHA512
ac8c10418e8ed4c2338378af4c8233196a2982405c551e033e0375c5abf523a552312b7c5664d1aed246e3177ac71c0ade7ecca3204ddb2cf1406ea055445521
-
SSDEEP
49152:UbA30bEln+8YPyZc6wkQbPVqlC8m5saKHaFg3:UbUJ+lyZKjVJDWaA
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1