Resubmissions

16-11-2024 10:34

241116-ml8y7sylen 10

16-11-2024 10:32

241116-mlb98svdnd 10

15-11-2024 09:16

241115-k8ww2s1mhz 10

30-10-2024 05:17

241030-fy5nzsxejq 10

21-07-2024 18:09

240721-wrvs7syckf 10

21-07-2024 14:26

240721-rsar7svhpj 10

General

  • Target

    DCRatBuild.exe

  • Size

    1.1MB

  • Sample

    241116-mlb98svdnd

  • MD5

    7ef93a29c05d412dd2dc432e1aac54a9

  • SHA1

    776cc5c36f370a7e1fa840a21c13f2278723409e

  • SHA256

    d9cbcae95ae824014b6d2fd6d3269b00b09ab84ed44b45b21c0b1842e7cdc132

  • SHA512

    26e00619e47a130fb768b91074915c8a69f8690ac12465f21c1bd7e69f94ae6db9a238ff3c510a719cf1a318a07c80a543212c200b2b2152934a1ad154d13ab6

  • SSDEEP

    12288:URZ+IoG/n9IQxW3OBseUUT+tcYbv+RK+UfXST5/rKMyFckcb8M41AT0z/GAFPz3m:u2G/nvxW3WieC7STuMMATKPTVgxr4q

Malware Config

Targets

    • Target

      DCRatBuild.exe

    • Size

      1.1MB

    • MD5

      7ef93a29c05d412dd2dc432e1aac54a9

    • SHA1

      776cc5c36f370a7e1fa840a21c13f2278723409e

    • SHA256

      d9cbcae95ae824014b6d2fd6d3269b00b09ab84ed44b45b21c0b1842e7cdc132

    • SHA512

      26e00619e47a130fb768b91074915c8a69f8690ac12465f21c1bd7e69f94ae6db9a238ff3c510a719cf1a318a07c80a543212c200b2b2152934a1ad154d13ab6

    • SSDEEP

      12288:URZ+IoG/n9IQxW3OBseUUT+tcYbv+RK+UfXST5/rKMyFckcb8M41AT0z/GAFPz3m:u2G/nvxW3WieC7STuMMATKPTVgxr4q

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks