General
-
Target
DCRatBuild.exe
-
Size
1.1MB
-
Sample
241030-fzzt5axekq
-
MD5
7ef93a29c05d412dd2dc432e1aac54a9
-
SHA1
776cc5c36f370a7e1fa840a21c13f2278723409e
-
SHA256
d9cbcae95ae824014b6d2fd6d3269b00b09ab84ed44b45b21c0b1842e7cdc132
-
SHA512
26e00619e47a130fb768b91074915c8a69f8690ac12465f21c1bd7e69f94ae6db9a238ff3c510a719cf1a318a07c80a543212c200b2b2152934a1ad154d13ab6
-
SSDEEP
12288:URZ+IoG/n9IQxW3OBseUUT+tcYbv+RK+UfXST5/rKMyFckcb8M41AT0z/GAFPz3m:u2G/nvxW3WieC7STuMMATKPTVgxr4q
Malware Config
Targets
-
-
Target
DCRatBuild.exe
-
Size
1.1MB
-
MD5
7ef93a29c05d412dd2dc432e1aac54a9
-
SHA1
776cc5c36f370a7e1fa840a21c13f2278723409e
-
SHA256
d9cbcae95ae824014b6d2fd6d3269b00b09ab84ed44b45b21c0b1842e7cdc132
-
SHA512
26e00619e47a130fb768b91074915c8a69f8690ac12465f21c1bd7e69f94ae6db9a238ff3c510a719cf1a318a07c80a543212c200b2b2152934a1ad154d13ab6
-
SSDEEP
12288:URZ+IoG/n9IQxW3OBseUUT+tcYbv+RK+UfXST5/rKMyFckcb8M41AT0z/GAFPz3m:u2G/nvxW3WieC7STuMMATKPTVgxr4q
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1