General
-
Target
d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
-
Size
1.8MB
-
Sample
241119-qd8v1s1mfr
-
MD5
0f6832bc8381b05096f8ffac1272e400
-
SHA1
be7722fb36f12432f6da2e051d1f96761e97fcf4
-
SHA256
d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5
-
SHA512
7fabcaac732873a97990faba9a06fee2b4c4febf8e5be1b223827c10671151854dcd755ca492c5738bebb18dd0dc3616a2e08768ae69d80bd681259008d04548
-
SSDEEP
24576:zyvTg4STbYSG65XZsTBsR36Y1864kHFLlb/sgaspAqsbTsIvVJUl52iFxA4Gbg:W6hdR3KlyFLlbsrs6PbTJU24Gb
Malware Config
Targets
-
-
Target
d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
-
Size
1.8MB
-
MD5
0f6832bc8381b05096f8ffac1272e400
-
SHA1
be7722fb36f12432f6da2e051d1f96761e97fcf4
-
SHA256
d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5
-
SHA512
7fabcaac732873a97990faba9a06fee2b4c4febf8e5be1b223827c10671151854dcd755ca492c5738bebb18dd0dc3616a2e08768ae69d80bd681259008d04548
-
SSDEEP
24576:zyvTg4STbYSG65XZsTBsR36Y1864kHFLlb/sgaspAqsbTsIvVJUl52iFxA4Gbg:W6hdR3KlyFLlbsrs6PbTJU24Gb
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1