General
-
Target
8b744166eecace320158f4d0f704b13e.bin
-
Size
789KB
-
Sample
241213-bqds3stpex
-
MD5
48574142b7971d2df0e9440a6c82d634
-
SHA1
5e2d60c7a82ffd089a7b876720af91c314c8a7d7
-
SHA256
b1d9fb66fc77fcad09e98f909994ec891500dffc86c26b7c5d71239b6745776c
-
SHA512
d941c71e9077083e765386b017a712edf375dc1ef89d4051b962911c8dac2dd468b59d25fa97dd3c91c8073784ba2f4e52ac7177ffc0679a46660c0c1e9bae95
-
SSDEEP
24576:UOavf+d4FQkZ6JKKYoH9yKDu8kvLSqUOh3uwEAU:vAI4Gw6JRdyKqmqUw38
Malware Config
Targets
-
-
Target
aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
-
Size
2.7MB
-
MD5
8b744166eecace320158f4d0f704b13e
-
SHA1
b92636084b3bd914514bc44556c4803933d667a3
-
SHA256
aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9
-
SHA512
641b3065e30186ccf9ba84ce6d345565763bbdb5fc1b1201c3f08fce5466c2384250b85b4c0220d2b9e21c5a51ff5ef60e9b910e07107e2b7e06f97b4e429d27
-
SSDEEP
24576:l+O4GuNVHU+AH2FWxOYIOlIZBrlsQBYI63DSyve5fG:s3N5IO6OtsMYIxS
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1