General
-
Target
00d8208f807a5ee119cc66670e639790dc9be238c866778e4abf8f628b142546.exe
-
Size
8.6MB
-
Sample
250114-cfr4dstkhz
-
MD5
1ea4535c88b03713785f9303d4c522ae
-
SHA1
ee34a528ff322c5034105b6c6eb97bf13c3567fb
-
SHA256
00d8208f807a5ee119cc66670e639790dc9be238c866778e4abf8f628b142546
-
SHA512
3ed3cf5296e8126743945c35f76324db516b503aa3dd62984613b2e522cdd4618fa997f6e339592e4838c53d49ec9269a3ed3e5b7f89e4d7639415ab4c712f0d
-
SSDEEP
196608:eSFFBadbelmNOxwuLlA1HeT39IigJ1ncKOVVtk7ZZtQcNP+P:l0Wmkqr1+TtIi00VQ/6Z
Malware Config
Targets
-
-
Target
00d8208f807a5ee119cc66670e639790dc9be238c866778e4abf8f628b142546.exe
-
Size
8.6MB
-
MD5
1ea4535c88b03713785f9303d4c522ae
-
SHA1
ee34a528ff322c5034105b6c6eb97bf13c3567fb
-
SHA256
00d8208f807a5ee119cc66670e639790dc9be238c866778e4abf8f628b142546
-
SHA512
3ed3cf5296e8126743945c35f76324db516b503aa3dd62984613b2e522cdd4618fa997f6e339592e4838c53d49ec9269a3ed3e5b7f89e4d7639415ab4c712f0d
-
SSDEEP
196608:eSFFBadbelmNOxwuLlA1HeT39IigJ1ncKOVVtk7ZZtQcNP+P:l0Wmkqr1+TtIi00VQ/6Z
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1