General
-
Target
4f964ada28fa2dde5c75d3c3682e69c4.bin
-
Size
811KB
-
Sample
241202-bqg6hasjax
-
MD5
00fca0adc526bacadbcf19fc9fdee9ae
-
SHA1
a83a113acb65a20d6ea72309d02b8ee8639cacf2
-
SHA256
b560855a892920c2e65e6d11e71221fe4cab665ecbce9f7871aaa9636c0262dc
-
SHA512
bf473e0e519d8be8009db79c837737322194d3d630b0ab20983cda755b441b513f1c962b91db3daa318afbaf25ec5755a62735f5dc6411dbc1fcef2efcb7d466
-
SSDEEP
24576:mf/Qhny+IA2k9qKhVHaiH5/fXgRoM+UNmJXT:mQXmkY+aiH5qofUN8T
Malware Config
Targets
-
-
Target
7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
-
Size
1.8MB
-
MD5
4f964ada28fa2dde5c75d3c3682e69c4
-
SHA1
481a0ddc3dfd39147abf684b60b6a0b1dfbbc341
-
SHA256
7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945
-
SHA512
ab07c9602776dc062599a89eed9d38be2c95f563a9ed9c906e6c1066f80e5666f119c5a790a120bf626a73edd3cc178924262d41c0f65eb20fcf3b542a83dc68
-
SSDEEP
24576:cWrCg/r+6/5OZr1A+KnhQaPNcHxIpjgqJ6t1:XrC7G5g0gq
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1