General
-
Target
e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
-
Size
1.7MB
-
Sample
241218-bcpnesxkak
-
MD5
a55ec0151237a920dfd1fbce1dacca26
-
SHA1
b3abf9945fc79c6a57c16dd519de7027d4ebd4b3
-
SHA256
e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386
-
SHA512
c064443dc5f5759f4f36cdf230e13486a6a2af673e4f59bb02ae6e21f60b0fff115d580cf69eaeed17d5c5ec40e127c4a1c02a9beccd3243e00b7ad5d973d617
-
SSDEEP
24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJC:NgwuuEpdDLNwVMeXDL0fdSzAGL
Malware Config
Targets
-
-
Target
e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
-
Size
1.7MB
-
MD5
a55ec0151237a920dfd1fbce1dacca26
-
SHA1
b3abf9945fc79c6a57c16dd519de7027d4ebd4b3
-
SHA256
e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386
-
SHA512
c064443dc5f5759f4f36cdf230e13486a6a2af673e4f59bb02ae6e21f60b0fff115d580cf69eaeed17d5c5ec40e127c4a1c02a9beccd3243e00b7ad5d973d617
-
SSDEEP
24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJC:NgwuuEpdDLNwVMeXDL0fdSzAGL
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Drops file in System32 directory
-