General
-
Target
https://mega.nz/file/D8QXySgS#oaCPsQjxWQYOnqJF0GDRlUc1L5Lb0Pxo7BzoLAtkduE
-
Sample
250604-btx15ayqx3
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://mega.nz/file/D8QXySgS#oaCPsQjxWQYOnqJF0GDRlUc1L5Lb0Pxo7BzoLAtkduE
Resource
win10v2004-20250502-en
Malware Config
Extracted
gurcu
https://api.telegram.org/bot7396142470:AAFvQ2Myxx59JurnFHB_gLTSXPNkel5cniA/sendPhoto?chat_id=8185181040&caption=%E2%9D%95%20User%20connected%20%E2%9D%95%0A%E2%80%A2%20ID%3A%20d4528144098942a05b9de976eb9b8c4aca92f949%0A%E2%80%A2%20Comment%3A%20%0A%0A%E2%80%A2%20User%20Name%3A%20Admin%0A%E2%80%A2%20PC%20Name%3A%20XBBHRPZO%0A%E2%80%A2%20OS%20Info%3A%20Windows%2010%20Pro%0A%0A%E2%80%A2%20IP%3A%20194.110.13.85%0A%E2%80%A2%20GEO%3A%20GB%20%2F%20London%0A%0A%E2%80%A2%20Working%20Directory%3A%20C%3A%5CmsComponent%5CPortmonitor.ex
https://api.telegram.org/bot7396142470:AAFvQ2Myxx59JurnFHB_gLTSXPNkel5cniA/sendMessage?chat_id=8185181040
Targets
-
-
Target
https://mega.nz/file/D8QXySgS#oaCPsQjxWQYOnqJF0GDRlUc1L5Lb0Pxo7BzoLAtkduE
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Gurcu family
-
UAC bypass
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Checks whether UAC is enabled
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v16
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1