General
-
Target
13f24a33b0bda605948ee337aac9f7095faeb536a0c1ba8d221a53af3822eec3.exe
-
Size
2.7MB
-
Sample
250120-cjex8swnhr
-
MD5
f9b06779ef8886e3db38dd8edf2c8ae7
-
SHA1
87c11d3f703d6690f5e6aefa5ddabd0eccdb2c43
-
SHA256
13f24a33b0bda605948ee337aac9f7095faeb536a0c1ba8d221a53af3822eec3
-
SHA512
e7191e615d4fe09136ff49f6e33cc219da7c3421259bc1f648e59e1cfc9c9d93970cb68dd6d8af072ad93867e14d71aa54e41c70d91d31a49b09dbb497d1a5b0
-
SSDEEP
49152:EGBMeNyllOBdHoYMPRdpOIzP1hu8yPhynpFkn1bkrfWv1LW35IS8CD+isjlQ:BMB7gJUfJ9hcPIpFqtkTWv1w5IgWi
Malware Config
Targets
-
-
Target
13f24a33b0bda605948ee337aac9f7095faeb536a0c1ba8d221a53af3822eec3.exe
-
Size
2.7MB
-
MD5
f9b06779ef8886e3db38dd8edf2c8ae7
-
SHA1
87c11d3f703d6690f5e6aefa5ddabd0eccdb2c43
-
SHA256
13f24a33b0bda605948ee337aac9f7095faeb536a0c1ba8d221a53af3822eec3
-
SHA512
e7191e615d4fe09136ff49f6e33cc219da7c3421259bc1f648e59e1cfc9c9d93970cb68dd6d8af072ad93867e14d71aa54e41c70d91d31a49b09dbb497d1a5b0
-
SSDEEP
49152:EGBMeNyllOBdHoYMPRdpOIzP1hu8yPhynpFkn1bkrfWv1LW35IS8CD+isjlQ:BMB7gJUfJ9hcPIpFqtkTWv1w5IgWi
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Checks whether UAC is enabled
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1