General
-
Target
Discord.exe
-
Size
1.8MB
-
Sample
250208-1ldd7awrhn
-
MD5
b5c4fa68d74ab47092a46241d6b10a16
-
SHA1
e754f10c51933c1ef98782fbf695e8f21198fe7e
-
SHA256
20e9dafaa42a6b6122ecc150622cf8aabe7a324527df144561de5ba0b486ab2a
-
SHA512
3ab67cb936cab9eb89bb8275309cbc5f56d7f03e554b5cc7bd54305c282b6e8a0feb4af8c1ebc7073d63c371444751c522b030748b4d57c28a768fd6cfdb5293
-
SSDEEP
24576:xoGjZgFKRWhFSJVRNkiPmfqbvi5iqOlK565cvugnpQS2/DS7w0KksrSTkdu+vNph:xav+RxbvikJj4npQS2/DSs6YVz7sD
Malware Config
Targets
-
-
Target
Discord.exe
-
Size
1.8MB
-
MD5
b5c4fa68d74ab47092a46241d6b10a16
-
SHA1
e754f10c51933c1ef98782fbf695e8f21198fe7e
-
SHA256
20e9dafaa42a6b6122ecc150622cf8aabe7a324527df144561de5ba0b486ab2a
-
SHA512
3ab67cb936cab9eb89bb8275309cbc5f56d7f03e554b5cc7bd54305c282b6e8a0feb4af8c1ebc7073d63c371444751c522b030748b4d57c28a768fd6cfdb5293
-
SSDEEP
24576:xoGjZgFKRWhFSJVRNkiPmfqbvi5iqOlK565cvugnpQS2/DS7w0KksrSTkdu+vNph:xav+RxbvikJj4npQS2/DSs6YVz7sD
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1