General
-
Target
6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe
-
Size
1.5MB
-
Sample
250111-mstg4azkhl
-
MD5
7b81efb209e9196c7cc9fcd1dec94fe0
-
SHA1
fd7f106b9ff78b24f103ed478c67648e392f4de5
-
SHA256
6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07
-
SHA512
60a7a9bafb1920dd1ade5fdcd659e5f8f6150143352b2ac7a708e95010fb89c9532f3d7e4cfd17850da60ded76c66af3d62f4f0d464a15869b13a488f2d81269
-
SSDEEP
24576:dbfESdvMj6hoGDAQsJ+N6XcHQWq3QY2SrXQLdok0OjYS4mej+T1kJCv:ZEi6GDAQORcwW5/oBjme81
Malware Config
Targets
-
-
Target
6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07N.exe
-
Size
1.5MB
-
MD5
7b81efb209e9196c7cc9fcd1dec94fe0
-
SHA1
fd7f106b9ff78b24f103ed478c67648e392f4de5
-
SHA256
6ddfea9b6a5af2c8d1062c0377a84d0ce6601a13a6da05438278b86fc4b3de07
-
SHA512
60a7a9bafb1920dd1ade5fdcd659e5f8f6150143352b2ac7a708e95010fb89c9532f3d7e4cfd17850da60ded76c66af3d62f4f0d464a15869b13a488f2d81269
-
SSDEEP
24576:dbfESdvMj6hoGDAQsJ+N6XcHQWq3QY2SrXQLdok0OjYS4mej+T1kJCv:ZEi6GDAQORcwW5/oBjme81
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1