General
-
Target
ca1c3f84e0259d9c423e34e20840f142.exe
-
Size
3.3MB
-
Sample
250110-e2hsysskaz
-
MD5
ca1c3f84e0259d9c423e34e20840f142
-
SHA1
3efc257f5027a1a1a205adcdbcb999e1ef8b3b7d
-
SHA256
30d404945af42d77bfd6ac92739486e8d00496a977ba6a6f0240cd20b7989f2c
-
SHA512
8cf6d715fbcad8eff71f4102479ed189a8e71438613225ae26c4e40dd696152a9d2efec028d602b8e25902aeea25961541749029d30a6f5fce5fd36d997fd5e1
-
SSDEEP
98304:0LMvB0KtBC+ZiFJCY4zsqyv7TUws7LRh1Bk308m3/T:0gvOK9MF5qy/UZdz8Q/T
Malware Config
Targets
-
-
Target
ca1c3f84e0259d9c423e34e20840f142.exe
-
Size
3.3MB
-
MD5
ca1c3f84e0259d9c423e34e20840f142
-
SHA1
3efc257f5027a1a1a205adcdbcb999e1ef8b3b7d
-
SHA256
30d404945af42d77bfd6ac92739486e8d00496a977ba6a6f0240cd20b7989f2c
-
SHA512
8cf6d715fbcad8eff71f4102479ed189a8e71438613225ae26c4e40dd696152a9d2efec028d602b8e25902aeea25961541749029d30a6f5fce5fd36d997fd5e1
-
SSDEEP
98304:0LMvB0KtBC+ZiFJCY4zsqyv7TUws7LRh1Bk308m3/T:0gvOK9MF5qy/UZdz8Q/T
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Checks whether UAC is enabled
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1