General
-
Target
DCRatBuild.exe
-
Size
1.3MB
-
Sample
250116-zvrgqszkgr
-
MD5
eec69775acc89f2f67ecb0d80dc029a5
-
SHA1
dcd800fd58fec732c0feae2febfe947f45d3944e
-
SHA256
6e493132db3dfb86fe69552649d14eee2771430d42ff1a50f96e3e640acbf2f0
-
SHA512
efb125891360665b85c5b11004da2de33e2f13abcf9406aa13ceb222e5ccbf5779d802cedf0f27f8e41d1a84d523a6a279e6d1bf303e035369f0bfe426457053
-
SSDEEP
24576:u2G/nvxW3WieCGKjeM+4v4Rr6joRBbULA70dqMgkXIdu3GbyP+m:ubA3jGKTmMmULA7CbId8Gbo
Malware Config
Targets
-
-
Target
DCRatBuild.exe
-
Size
1.3MB
-
MD5
eec69775acc89f2f67ecb0d80dc029a5
-
SHA1
dcd800fd58fec732c0feae2febfe947f45d3944e
-
SHA256
6e493132db3dfb86fe69552649d14eee2771430d42ff1a50f96e3e640acbf2f0
-
SHA512
efb125891360665b85c5b11004da2de33e2f13abcf9406aa13ceb222e5ccbf5779d802cedf0f27f8e41d1a84d523a6a279e6d1bf303e035369f0bfe426457053
-
SSDEEP
24576:u2G/nvxW3WieCGKjeM+4v4Rr6joRBbULA70dqMgkXIdu3GbyP+m:ubA3jGKTmMmULA7CbId8Gbo
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Disables Task Manager via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Drops file in System32 directory
-