General
-
Target
5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a
-
Size
1.8MB
-
Sample
241110-24cfaazpgp
-
MD5
5fe5c094a2fd1a198178aa10c5b62307
-
SHA1
766b36ad58f89249728f8405b893ee104f3a8e6d
-
SHA256
5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a
-
SHA512
c1d4c29f0bf10787c5ed6bafd244f466a9be5a805976670a52337d90362eb00d3f9a278d822d9858128d5c8189c1da1125da76dd75b3e10d04be639a4e30b0c0
-
SSDEEP
49152:mhjAJVllHZrhbBruPk+xjSMX4ODTDF8OcFSkMh:mgVTVXYNX9mOWSkM
Malware Config
Targets
-
-
Target
5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a
-
Size
1.8MB
-
MD5
5fe5c094a2fd1a198178aa10c5b62307
-
SHA1
766b36ad58f89249728f8405b893ee104f3a8e6d
-
SHA256
5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a
-
SHA512
c1d4c29f0bf10787c5ed6bafd244f466a9be5a805976670a52337d90362eb00d3f9a278d822d9858128d5c8189c1da1125da76dd75b3e10d04be639a4e30b0c0
-
SSDEEP
49152:mhjAJVllHZrhbBruPk+xjSMX4ODTDF8OcFSkMh:mgVTVXYNX9mOWSkM
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Checks whether UAC is enabled
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1