General
-
Target
2308c316e3567e559662ddb17c1639ef790641693d3f570fa040d09746f5eba9
-
Size
1.9MB
-
Sample
241130-yac8yaxjbr
-
MD5
8fdbd9a0a9390964373271dd09b991ba
-
SHA1
78a4d4c43b894a8227b25be8f61f7aa6b8315ab7
-
SHA256
2308c316e3567e559662ddb17c1639ef790641693d3f570fa040d09746f5eba9
-
SHA512
76a6e750adc8c888bea717bdbb74dad5fe10c1688e1e87a9cb9dfb7caf4e4c5cdd9b9f34ef5aa7577f92bf1349797b04a5edac64c772489cd316d5e71ea9291c
-
SSDEEP
49152:IBJeP7Q9KggbDv7jsn3JzB6lR6jA+knZY5U:yQPihgvs3JzB6lR6jA+k5
Malware Config
Targets
-
-
Target
2308c316e3567e559662ddb17c1639ef790641693d3f570fa040d09746f5eba9
-
Size
1.9MB
-
MD5
8fdbd9a0a9390964373271dd09b991ba
-
SHA1
78a4d4c43b894a8227b25be8f61f7aa6b8315ab7
-
SHA256
2308c316e3567e559662ddb17c1639ef790641693d3f570fa040d09746f5eba9
-
SHA512
76a6e750adc8c888bea717bdbb74dad5fe10c1688e1e87a9cb9dfb7caf4e4c5cdd9b9f34ef5aa7577f92bf1349797b04a5edac64c772489cd316d5e71ea9291c
-
SSDEEP
49152:IBJeP7Q9KggbDv7jsn3JzB6lR6jA+knZY5U:yQPihgvs3JzB6lR6jA+k5
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1