General
-
Target
0e7538073640e94a8d277d5c455e88d8.exe
-
Size
1.7MB
-
Sample
250207-2scxnstjdr
-
MD5
0e7538073640e94a8d277d5c455e88d8
-
SHA1
23320607446a750d0f0b79b75facd0e15c881e85
-
SHA256
848feeb5b4b55aef6fbd560d0800ee2370d4cb935495abb82f2870169c42aae5
-
SHA512
225a5d1863ada9d82d51ee9b4f073ca1d964b237fa1994970adb07b0b16ba3c6c759ce11f2f0806f96be75f688ac4674e33cba0de39ea40ab96d64654323d844
-
SSDEEP
49152:aLUbMVuHF+xDNs7Y8R7mY58jJlMUwgUK:agbCvxDNIY8hujEJK
Malware Config
Targets
-
-
Target
0e7538073640e94a8d277d5c455e88d8.exe
-
Size
1.7MB
-
MD5
0e7538073640e94a8d277d5c455e88d8
-
SHA1
23320607446a750d0f0b79b75facd0e15c881e85
-
SHA256
848feeb5b4b55aef6fbd560d0800ee2370d4cb935495abb82f2870169c42aae5
-
SHA512
225a5d1863ada9d82d51ee9b4f073ca1d964b237fa1994970adb07b0b16ba3c6c759ce11f2f0806f96be75f688ac4674e33cba0de39ea40ab96d64654323d844
-
SSDEEP
49152:aLUbMVuHF+xDNs7Y8R7mY58jJlMUwgUK:agbCvxDNIY8hujEJK
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1