General
-
Target
rat.exe
-
Size
1.6MB
-
Sample
250111-hg428ssjel
-
MD5
3d8e2b72bd850e6d45114d61462b9f33
-
SHA1
c78aa9851c20a26ee2dc8a91b90f8edcdb46dc77
-
SHA256
6c6d5ba17c53f8eb5c280fc6945f4c4254dee1cdb8600f3a70dfdc64d67f4ec5
-
SHA512
0b57f0522e37f44bbb0c54387a7622da5282be555799148de7d6a2f1ca29ec9b5477a00169d9a1e7a678fc2d22802fdaddae7e66a1b12ab8d807b0cd0d6bb484
-
SSDEEP
24576:U2G/nvxW3Ww0t0ioe8kK14eZeOBQE2iT5tH9DieCUHcOTz21ABA:UbA300irKJUbs9D3CeP6A2
Malware Config
Targets
-
-
Target
rat.exe
-
Size
1.6MB
-
MD5
3d8e2b72bd850e6d45114d61462b9f33
-
SHA1
c78aa9851c20a26ee2dc8a91b90f8edcdb46dc77
-
SHA256
6c6d5ba17c53f8eb5c280fc6945f4c4254dee1cdb8600f3a70dfdc64d67f4ec5
-
SHA512
0b57f0522e37f44bbb0c54387a7622da5282be555799148de7d6a2f1ca29ec9b5477a00169d9a1e7a678fc2d22802fdaddae7e66a1b12ab8d807b0cd0d6bb484
-
SSDEEP
24576:U2G/nvxW3Ww0t0ioe8kK14eZeOBQE2iT5tH9DieCUHcOTz21ABA:UbA300irKJUbs9D3CeP6A2
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1