Overview

overview

10

Static

static

10

394c5bdb28...17.exe

windows7-x64

10

394c5bdb28...17.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe

  • Size

    1.5MB

  • Sample

    250120-cphw3swnbz

  • MD5

    154029aecb8134930418ece2437864b8

  • SHA1

    a43825d5c82e4266a37e60a746c31ab128b2a4a1

  • SHA256

    394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617

  • SHA512

    2cc0dd8965fb53479fed5107ec2b8ba90ae15dbbc22f1d0d7bffc573cf049d69ce745840fdaa582060940f5be8381cfd5ecec870943d6a3ddda95c9f32a9826c

  • SSDEEP

    24576:u/R6JpYYCpuA5TwiNgFE/4vZy270wlc8cz4lc2zVg5OlyxJ:uZ6a8+DsZ5lyzIcUawly

Score
10/10
dcratinfostealerrat

Malware Config

Targets

    • Target

      394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe

    • Size

      1.5MB

    • MD5

      154029aecb8134930418ece2437864b8

    • SHA1

      a43825d5c82e4266a37e60a746c31ab128b2a4a1

    • SHA256

      394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617

    • SHA512

      2cc0dd8965fb53479fed5107ec2b8ba90ae15dbbc22f1d0d7bffc573cf049d69ce745840fdaa582060940f5be8381cfd5ecec870943d6a3ddda95c9f32a9826c

    • SSDEEP

      24576:u/R6JpYYCpuA5TwiNgFE/4vZy270wlc8cz4lc2zVg5OlyxJ:uZ6a8+DsZ5lyzIcUawly

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks