General
-
Target
CE2EC4539435DFEAC7E246FE5565C521.exe
-
Size
2.9MB
-
Sample
241130-dy6j6strfk
-
MD5
ce2ec4539435dfeac7e246fe5565c521
-
SHA1
59f3da006005a109914c31b5d5cd94dc4c93309c
-
SHA256
d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562
-
SHA512
408a1db2cd98702bca3811e124d78a56cbca79a1d200593759bde1947a4a599f8cd40cd8dbb2e7be7dec416e3f5de0c4466f98ddea1daf6d313671695f25a7ba
-
SSDEEP
49152:6h/814lignPl1s5Cp5+tOCiqgc8I7uBiYUtGGirMn0JkH4SwiLwRktMtL+CsA7Z:6h/8Hgn9u4P+l8I7uB6db0JhAw6tMtLr
Malware Config
Targets
-
-
Target
CE2EC4539435DFEAC7E246FE5565C521.exe
-
Size
2.9MB
-
MD5
ce2ec4539435dfeac7e246fe5565c521
-
SHA1
59f3da006005a109914c31b5d5cd94dc4c93309c
-
SHA256
d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562
-
SHA512
408a1db2cd98702bca3811e124d78a56cbca79a1d200593759bde1947a4a599f8cd40cd8dbb2e7be7dec416e3f5de0c4466f98ddea1daf6d313671695f25a7ba
-
SSDEEP
49152:6h/814lignPl1s5Cp5+tOCiqgc8I7uBiYUtGGirMn0JkH4SwiLwRktMtL+CsA7Z:6h/8Hgn9u4P+l8I7uB6db0JhAw6tMtLr
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1