General
-
Target
1feb43221d231b3137124132a87a53ff6f4a5a32e210e92a0635aff619852d83N.exe
-
Size
3.7MB
-
Sample
250207-21eq8stmdl
-
MD5
ca3bf1001b3d7f8700cae6ce3adb0c10
-
SHA1
727b6a0a22451b9b7be18256125663f731c70d1e
-
SHA256
1feb43221d231b3137124132a87a53ff6f4a5a32e210e92a0635aff619852d83
-
SHA512
a01467e197006c225d6cdd8e17933bd318ea17e198cf17609e51f8ca18b29b164275cfcef2ed809a09c748c611c34c34ee6678a74521ee44bf0b0126b25fbb44
-
SSDEEP
98304:jZurNQcigALujj+eBIRZsgw7bXbC7srf33dXTkMVlic:tu6ciyOJZsFjgsrP3dXgMVl5
Malware Config
Targets
-
-
Target
1feb43221d231b3137124132a87a53ff6f4a5a32e210e92a0635aff619852d83N.exe
-
Size
3.7MB
-
MD5
ca3bf1001b3d7f8700cae6ce3adb0c10
-
SHA1
727b6a0a22451b9b7be18256125663f731c70d1e
-
SHA256
1feb43221d231b3137124132a87a53ff6f4a5a32e210e92a0635aff619852d83
-
SHA512
a01467e197006c225d6cdd8e17933bd318ea17e198cf17609e51f8ca18b29b164275cfcef2ed809a09c748c611c34c34ee6678a74521ee44bf0b0126b25fbb44
-
SSDEEP
98304:jZurNQcigALujj+eBIRZsgw7bXbC7srf33dXTkMVlic:tu6ciyOJZsFjgsrP3dXgMVl5
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks whether UAC is enabled
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1