General
-
Target
fb145a248667da2c0f287c070250dc501c7b3d03df44f22e4f50a735599923d4
-
Size
2.0MB
-
Sample
241221-htznaavrez
-
MD5
ff6e26dc9893c97196aefe245defeff9
-
SHA1
6ec3649790e948299b43bc522ee6d3fc9d10f769
-
SHA256
fb145a248667da2c0f287c070250dc501c7b3d03df44f22e4f50a735599923d4
-
SHA512
6c4f76b35b0a90ca8e132d20a3b9d0eaf4752c6c49efe9a6f180b3b7a2091af55f8cab0be881e499a90da496ccbce7550eba4d8a3bc124060b429d44fb08e0a0
-
SSDEEP
49152:1Djlabwz9WV429A3twp/pZ5zUg45hGUrf/osAX4RUhpKT/+qYiv:Zqw+T9ewpRzz6OUkR4R7TmqYK
Malware Config
Targets
-
-
Target
fb145a248667da2c0f287c070250dc501c7b3d03df44f22e4f50a735599923d4
-
Size
2.0MB
-
MD5
ff6e26dc9893c97196aefe245defeff9
-
SHA1
6ec3649790e948299b43bc522ee6d3fc9d10f769
-
SHA256
fb145a248667da2c0f287c070250dc501c7b3d03df44f22e4f50a735599923d4
-
SHA512
6c4f76b35b0a90ca8e132d20a3b9d0eaf4752c6c49efe9a6f180b3b7a2091af55f8cab0be881e499a90da496ccbce7550eba4d8a3bc124060b429d44fb08e0a0
-
SSDEEP
49152:1Djlabwz9WV429A3twp/pZ5zUg45hGUrf/osAX4RUhpKT/+qYiv:Zqw+T9ewpRzz6OUkR4R7TmqYK
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1