General
-
Target
componentwin.exe
-
Size
1.8MB
-
Sample
250521-z9d5yscq9t
-
MD5
a59c05c8708191cdc9359b5ea25ecf96
-
SHA1
7e75fff5cfe429101be53f239971dfc81cda108c
-
SHA256
1a7987977d12b04638650af01c46c562d6741a308bd92dcf10a90040b436b02d
-
SHA512
e747eb38e35156c3cfaa435c64eeece0929e8a6bf4d1a8aecba4817905db15f8296bac1f82eb2ac77bff46e12be34b20315f25b6bbe4647e3cd52355653ee741
-
SSDEEP
49152:gPtkS+945fvkLKZ4/30DgDVi8frkxOSwaEU:gPtkS+v+KsDLUrGOSwt
Malware Config
Targets
-
-
Target
componentwin.exe
-
Size
1.8MB
-
MD5
a59c05c8708191cdc9359b5ea25ecf96
-
SHA1
7e75fff5cfe429101be53f239971dfc81cda108c
-
SHA256
1a7987977d12b04638650af01c46c562d6741a308bd92dcf10a90040b436b02d
-
SHA512
e747eb38e35156c3cfaa435c64eeece0929e8a6bf4d1a8aecba4817905db15f8296bac1f82eb2ac77bff46e12be34b20315f25b6bbe4647e3cd52355653ee741
-
SSDEEP
49152:gPtkS+945fvkLKZ4/30DgDVi8frkxOSwaEU:gPtkS+v+KsDLUrGOSwt
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1