General

  • Target

    8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe

  • Size

    1.2MB

  • Sample

    241201-c8drgatrds

  • MD5

    e96b9e17da08c5a64c26dc666402c64f

  • SHA1

    cceec5c7f6f4bbf08c63153a0dea8b5834ed38ee

  • SHA256

    8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372

  • SHA512

    dd71101f1b6b0dcd545bec2e448c6368a8653b599a5b0de3287ac50126b0c380a325e92fa201bdd869d97cf18e63d0795879923e9364abb92adfc57af02d5040

  • SSDEEP

    24576:QGZn/lA+WQi7Tw3d3pI0eqZb/bte1aMiL/8LLKwi/TIRk:QGzAy1Sob6CsL8

Malware Config

Targets

    • Target

      8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe

    • Size

      1.2MB

    • MD5

      e96b9e17da08c5a64c26dc666402c64f

    • SHA1

      cceec5c7f6f4bbf08c63153a0dea8b5834ed38ee

    • SHA256

      8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372

    • SHA512

      dd71101f1b6b0dcd545bec2e448c6368a8653b599a5b0de3287ac50126b0c380a325e92fa201bdd869d97cf18e63d0795879923e9364abb92adfc57af02d5040

    • SSDEEP

      24576:QGZn/lA+WQi7Tw3d3pI0eqZb/bte1aMiL/8LLKwi/TIRk:QGzAy1Sob6CsL8

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks