General
-
Target
Bh2PmThP.exe
-
Size
1.7MB
-
Sample
240919-dj115sxfja
-
MD5
475d2e67ce84a513bd0a1757becc2018
-
SHA1
8322b7bc21b0114b453812035ef643cf532bdf6c
-
SHA256
158c9599f5310708e34c67ba1f72241b28e0b5633dec9e786fd6031a95da6d3d
-
SHA512
0d2277d90853216485a261380727171aa8d2c530ba0d1ce6372f6971d16c37a3ac22196f1fe5c9a9dedd930aee302edfab3e5e89450a6d038bcc98e0af70aedd
-
SSDEEP
24576:1v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:1v/ScA8oGAv5/c14rvuZx
Malware Config
Targets
-
-
Target
Bh2PmThP.exe
-
Size
1.7MB
-
MD5
475d2e67ce84a513bd0a1757becc2018
-
SHA1
8322b7bc21b0114b453812035ef643cf532bdf6c
-
SHA256
158c9599f5310708e34c67ba1f72241b28e0b5633dec9e786fd6031a95da6d3d
-
SHA512
0d2277d90853216485a261380727171aa8d2c530ba0d1ce6372f6971d16c37a3ac22196f1fe5c9a9dedd930aee302edfab3e5e89450a6d038bcc98e0af70aedd
-
SSDEEP
24576:1v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:1v/ScA8oGAv5/c14rvuZx
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1