General
-
Target
597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd
-
Size
5.9MB
-
Sample
250328-1ma1fs11bz
-
MD5
f3e5836ba9def44862cd5adb5d1ad9e5
-
SHA1
8b74f80ba8799969abe367bf502d9725129ffdeb
-
SHA256
597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd
-
SHA512
7f8c313d90a6460f446555170e624256796de3f5771454d836c2c20d67dcd7673ff7fd6c09bb87f14ae55bb18c671821f4106833444b9fd85f45b4235e3f8052
-
SSDEEP
98304:hyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw46:hyeU11Rvqmu8TWKnF6N/1wN
Malware Config
Targets
-
-
Target
597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd
-
Size
5.9MB
-
MD5
f3e5836ba9def44862cd5adb5d1ad9e5
-
SHA1
8b74f80ba8799969abe367bf502d9725129ffdeb
-
SHA256
597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd
-
SHA512
7f8c313d90a6460f446555170e624256796de3f5771454d836c2c20d67dcd7673ff7fd6c09bb87f14ae55bb18c671821f4106833444b9fd85f45b4235e3f8052
-
SSDEEP
98304:hyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw46:hyeU11Rvqmu8TWKnF6N/1wN
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Checks whether UAC is enabled
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1