General
-
Target
ba30eaf70b11268accb528ce65cea53a3ec811d2e368e4a3d19ebdfaf02cc233
-
Size
518KB
-
Sample
241130-tqjnfayjfz
-
MD5
4a3bf58e23a86ea73d2f1d8ba04e7467
-
SHA1
88099e13c38f4adfef4a64ca91b681c8cfa85834
-
SHA256
ba30eaf70b11268accb528ce65cea53a3ec811d2e368e4a3d19ebdfaf02cc233
-
SHA512
dd2ffed4fa44c5a81db9898b57488996165b9b58a0c30176b335cbc81d74fb86541645e0167ac58f73de547dedf4ba9ed419477e17f170f10a8472f106a2d9c5
-
SSDEEP
12288:tZ2N7BcysKLDraDdvdx5gqJSpxw3+i4rF/Fx:tZ2cvYaLxuqSN
Malware Config
Targets
-
-
Target
ba30eaf70b11268accb528ce65cea53a3ec811d2e368e4a3d19ebdfaf02cc233
-
Size
518KB
-
MD5
4a3bf58e23a86ea73d2f1d8ba04e7467
-
SHA1
88099e13c38f4adfef4a64ca91b681c8cfa85834
-
SHA256
ba30eaf70b11268accb528ce65cea53a3ec811d2e368e4a3d19ebdfaf02cc233
-
SHA512
dd2ffed4fa44c5a81db9898b57488996165b9b58a0c30176b335cbc81d74fb86541645e0167ac58f73de547dedf4ba9ed419477e17f170f10a8472f106a2d9c5
-
SSDEEP
12288:tZ2N7BcysKLDraDdvdx5gqJSpxw3+i4rF/Fx:tZ2cvYaLxuqSN
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1