General
-
Target
68028fe0a2bb715fe782583e5c29c6ff.exe
-
Size
2.4MB
-
Sample
241003-scqzxsvcjf
-
MD5
68028fe0a2bb715fe782583e5c29c6ff
-
SHA1
61ed3a7c584675d2f1938c445476488c2e1f3c6e
-
SHA256
132d4d7f1635c8c0a5bc723e1bee6d2475cce461fefad80f07d74ad1fbd12357
-
SHA512
0183d5105f4e7a1520e6a64089fa3d0b30465d4814dde00a4a0931de1369855fa53ca01180d60eeeb6a3b631a0716d76cf86ce56a2fc0d95d5a4ff93fe9d015c
-
SSDEEP
49152:pbA3lGpDJJ41lzRMvw+u5Z0CKevJcUlMhnnjMsUHiHjsyB:pbRnJ41livwjgFUehnj1HHB
Behavioral task
behavioral1
Sample
68028fe0a2bb715fe782583e5c29c6ff.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
68028fe0a2bb715fe782583e5c29c6ff.exe
Resource
win10v2004-20240802-en
Malware Config
Targets
-
-
Target
68028fe0a2bb715fe782583e5c29c6ff.exe
-
Size
2.4MB
-
MD5
68028fe0a2bb715fe782583e5c29c6ff
-
SHA1
61ed3a7c584675d2f1938c445476488c2e1f3c6e
-
SHA256
132d4d7f1635c8c0a5bc723e1bee6d2475cce461fefad80f07d74ad1fbd12357
-
SHA512
0183d5105f4e7a1520e6a64089fa3d0b30465d4814dde00a4a0931de1369855fa53ca01180d60eeeb6a3b631a0716d76cf86ce56a2fc0d95d5a4ff93fe9d015c
-
SSDEEP
49152:pbA3lGpDJJ41lzRMvw+u5Z0CKevJcUlMhnnjMsUHiHjsyB:pbRnJ41livwjgFUehnj1HHB
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Disables Task Manager via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1