General
-
Target
77FFFEE187FABB45FFC7219D421EA83F.exe
-
Size
1.4MB
-
Sample
241026-d5w93swqgr
-
MD5
77fffee187fabb45ffc7219d421ea83f
-
SHA1
3f21e5a79d674131678ac5de8eaf30bbfcbb177c
-
SHA256
272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26
-
SHA512
3c27ed77b4e5c522804b48b94b70071bc07b4227ed3f5018d45160cb192136296f75a84af770caf72c797d2ea7fa36c8d897f2d68199f0fe0123c94781452b1f
-
SSDEEP
24576:KufUOExyABqHwzAsZg7ySXHzf9gUQ4zWp2Wn7b5kXxK:K3zBqATEzf9gUQPn7b5kXx
Malware Config
Targets
-
-
Target
77FFFEE187FABB45FFC7219D421EA83F.exe
-
Size
1.4MB
-
MD5
77fffee187fabb45ffc7219d421ea83f
-
SHA1
3f21e5a79d674131678ac5de8eaf30bbfcbb177c
-
SHA256
272d4708729e16b629b6ec2c3c04317f6579c2c8f24d171be0d9469dbbce4e26
-
SHA512
3c27ed77b4e5c522804b48b94b70071bc07b4227ed3f5018d45160cb192136296f75a84af770caf72c797d2ea7fa36c8d897f2d68199f0fe0123c94781452b1f
-
SSDEEP
24576:KufUOExyABqHwzAsZg7ySXHzf9gUQ4zWp2Wn7b5kXxK:K3zBqATEzf9gUQPn7b5kXx
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1