General
-
Target
0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe
-
Size
682KB
-
Sample
241120-gwtpdatclq
-
MD5
1168a01289281e9d8b30172e06548dc0
-
SHA1
22a7fa48bffde7640a4476f8c2531e7695ad609b
-
SHA256
0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137
-
SHA512
49110a24c2071b5e71a3d362740d27115ae5d6803fdbf64eadb49612cbba5d0daed57442e943c26b8e3bbaac6f061008a2363974484af30de84a183ab966a19a
-
SSDEEP
12288:hqnO3mwJNoGFAgHCRvp1i/fjqJRYFInDrX/xTU3JgXDV6blx1wgtra7B:h+O3mwJnCRvEMxnDVSwgY
Malware Config
Targets
-
-
Target
0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe
-
Size
682KB
-
MD5
1168a01289281e9d8b30172e06548dc0
-
SHA1
22a7fa48bffde7640a4476f8c2531e7695ad609b
-
SHA256
0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137
-
SHA512
49110a24c2071b5e71a3d362740d27115ae5d6803fdbf64eadb49612cbba5d0daed57442e943c26b8e3bbaac6f061008a2363974484af30de84a183ab966a19a
-
SSDEEP
12288:hqnO3mwJNoGFAgHCRvp1i/fjqJRYFInDrX/xTU3JgXDV6blx1wgtra7B:h+O3mwJnCRvEMxnDVSwgY
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1