General
-
Target
lithium external.zip
-
Size
2.5MB
-
Sample
250126-yw32gstkal
-
MD5
5abaa60461ee4c19647911a8d9a0006a
-
SHA1
76cc97f0581d174087f96f058d898b42e8c566a2
-
SHA256
1605702f0909585b220918e1cbd6b236f5c47714a978990c7d5b43504b90163d
-
SHA512
93f3d6b3849a2d9c5b81e9fd96cc60d065e5916ff470e974f2b9b5f49462f25ea18b1f4f32c1fe4f3a3c05eb214e1d5e0f6f25f443a5bb3d338eed2471c0f4f3
-
SSDEEP
49152:aBIg2+HpqXdLYyrF7SUZSiwaJXA78bixRz4S87jaeg7hRFIz39O:o0NLLFSaJsxR4So+eg7hczA
Malware Config
Targets
-
-
Target
lithium external.zip
-
Size
2.5MB
-
MD5
5abaa60461ee4c19647911a8d9a0006a
-
SHA1
76cc97f0581d174087f96f058d898b42e8c566a2
-
SHA256
1605702f0909585b220918e1cbd6b236f5c47714a978990c7d5b43504b90163d
-
SHA512
93f3d6b3849a2d9c5b81e9fd96cc60d065e5916ff470e974f2b9b5f49462f25ea18b1f4f32c1fe4f3a3c05eb214e1d5e0f6f25f443a5bb3d338eed2471c0f4f3
-
SSDEEP
49152:aBIg2+HpqXdLYyrF7SUZSiwaJXA78bixRz4S87jaeg7hRFIz39O:o0NLLFSaJsxR4So+eg7hczA
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Disables Task Manager via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks whether UAC is enabled
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3