General
-
Target
b330a516dc2ed01776ad58b0dc970216.exe
-
Size
1.6MB
-
Sample
250206-nsa67awjcn
-
MD5
b330a516dc2ed01776ad58b0dc970216
-
SHA1
78db141d31b8131aabd9ba1c9144a33c8cd6842b
-
SHA256
2b513177e1ebb418f3e4d2cd3947c0b248bdd064188538d00518118dd916aee2
-
SHA512
f25f66055176b4060b94ff3c765d54d6d7ee0186b70001205c2e65696180a57b32de897df1664bad8611f81da0f3267b6daf9eea46a0c68c4746c54a56999209
-
SSDEEP
24576:GlZi59u2GRCRXXdoOH0dMPg/riXqsLS29ryVYNN+GCiRtnATOD:GPfsDHwsg/riE29rC2+GJRVA
Malware Config
Targets
-
-
Target
b330a516dc2ed01776ad58b0dc970216.exe
-
Size
1.6MB
-
MD5
b330a516dc2ed01776ad58b0dc970216
-
SHA1
78db141d31b8131aabd9ba1c9144a33c8cd6842b
-
SHA256
2b513177e1ebb418f3e4d2cd3947c0b248bdd064188538d00518118dd916aee2
-
SHA512
f25f66055176b4060b94ff3c765d54d6d7ee0186b70001205c2e65696180a57b32de897df1664bad8611f81da0f3267b6daf9eea46a0c68c4746c54a56999209
-
SSDEEP
24576:GlZi59u2GRCRXXdoOH0dMPg/riXqsLS29ryVYNN+GCiRtnATOD:GPfsDHwsg/riE29rC2+GJRVA
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1