General

  • Target

    DCRatBuild.exe

  • Size

    1.5MB

  • Sample

    250119-peywrsxmgq

  • MD5

    c421510c6a46fcf9b10c90672df57670

  • SHA1

    8bd03e0a5c08e1bdce3c89c5cff0c251010f6371

  • SHA256

    c15015876eb1710d01b4b3e624c08018c8d5c01d005b9a483be5edb17aaa709e

  • SHA512

    713bef3c610971b6b3d61ed492b93376fb2932acc328857d5558bdea519f6bebd386ed67744daa3a5d7f0ce635d9dcfb65930b902e6058855c721d165df16b11

  • SSDEEP

    24576:U2G/nvxW3Ww0tk1HW292457Vudtb6tphnwTlD7jL79usS68sRclBkfKWVedo:UbA30k12w5Dbh+lu08LIKWH

Malware Config

Targets

    • Target

      DCRatBuild.exe

    • Size

      1.5MB

    • MD5

      c421510c6a46fcf9b10c90672df57670

    • SHA1

      8bd03e0a5c08e1bdce3c89c5cff0c251010f6371

    • SHA256

      c15015876eb1710d01b4b3e624c08018c8d5c01d005b9a483be5edb17aaa709e

    • SHA512

      713bef3c610971b6b3d61ed492b93376fb2932acc328857d5558bdea519f6bebd386ed67744daa3a5d7f0ce635d9dcfb65930b902e6058855c721d165df16b11

    • SSDEEP

      24576:U2G/nvxW3Ww0tk1HW292457Vudtb6tphnwTlD7jL79usS68sRclBkfKWVedo:UbA30k12w5Dbh+lu08LIKWH

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks