General
-
Target
56a7e805cd4b58f6771b5dc9bb86324657c1188ccc2cbe6f2a7698933c8ed795.exe
-
Size
1.2MB
-
Sample
241126-k7ydgs1mdl
-
MD5
7cc28a958fbc5de59e50e489eb3e6d00
-
SHA1
76d044eee4b1592f868078837c29888b7f8daf28
-
SHA256
56a7e805cd4b58f6771b5dc9bb86324657c1188ccc2cbe6f2a7698933c8ed795
-
SHA512
f6d952c2d2dfe54f291886196f46878a7268a91512ecdcc09cfccfc5fbe06d25fd353e3ef36de13d6b47f98a129a30e2466a49cdcb3d9d946e5bf8be349455fc
-
SSDEEP
24576:pw21qwzs2PGLze66eAUr9tkTSY3kuii5nRO6d:pwYNVeFPkT0uii5n4U
Malware Config
Targets
-
-
Target
56a7e805cd4b58f6771b5dc9bb86324657c1188ccc2cbe6f2a7698933c8ed795.exe
-
Size
1.2MB
-
MD5
7cc28a958fbc5de59e50e489eb3e6d00
-
SHA1
76d044eee4b1592f868078837c29888b7f8daf28
-
SHA256
56a7e805cd4b58f6771b5dc9bb86324657c1188ccc2cbe6f2a7698933c8ed795
-
SHA512
f6d952c2d2dfe54f291886196f46878a7268a91512ecdcc09cfccfc5fbe06d25fd353e3ef36de13d6b47f98a129a30e2466a49cdcb3d9d946e5bf8be349455fc
-
SSDEEP
24576:pw21qwzs2PGLze66eAUr9tkTSY3kuii5nRO6d:pwYNVeFPkT0uii5n4U
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1