General
-
Target
1486c88df7d1c0cfa8a3c069eb26973f.exe
-
Size
2.5MB
-
Sample
250519-erhp7shp2v
-
MD5
1486c88df7d1c0cfa8a3c069eb26973f
-
SHA1
86d0efa95e16d71586b7c8a2e0c2f17f81df1299
-
SHA256
49f0f6d6f5189dbd2fbf2f1a4cb25d85e9d28b6e12c60d5a140302769778b75a
-
SHA512
e7c854783dce21d2bda5364542471a0bd4f4bdafde04da22598d2c21c036f78e9ecc2b14b68b4a61e0b6a4b0f87a280c409d4c0aae056964291759011391ef98
-
SSDEEP
24576:iHQyS2nX7F4Cw7sULd3yUJVdnp2QpeTmw6jR5/sfNEcI45r4h1G9kImy2yZDT6t:sQyJX7F+0K4Qsmw6wOKSM
Malware Config
Targets
-
-
Target
1486c88df7d1c0cfa8a3c069eb26973f.exe
-
Size
2.5MB
-
MD5
1486c88df7d1c0cfa8a3c069eb26973f
-
SHA1
86d0efa95e16d71586b7c8a2e0c2f17f81df1299
-
SHA256
49f0f6d6f5189dbd2fbf2f1a4cb25d85e9d28b6e12c60d5a140302769778b75a
-
SHA512
e7c854783dce21d2bda5364542471a0bd4f4bdafde04da22598d2c21c036f78e9ecc2b14b68b4a61e0b6a4b0f87a280c409d4c0aae056964291759011391ef98
-
SSDEEP
24576:iHQyS2nX7F4Cw7sULd3yUJVdnp2QpeTmw6jR5/sfNEcI45r4h1G9kImy2yZDT6t:sQyJX7F+0K4Qsmw6wOKSM
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1