General
-
Target
4508B79414A6EE98BADBF039ABA57A3C.exe
-
Size
4.2MB
-
Sample
210701-8755bwasfn
-
MD5
4508b79414a6ee98badbf039aba57a3c
-
SHA1
4d40b457b656220ffe113c83931675c1fa3ec12b
-
SHA256
ce6c7f3f54f49e2e6bd10fcdae8e91a616a4234df9f694d44db8582ab1c20ed1
-
SHA512
52cdafdfb7f39f3dd9ed0c0d7584268e56ff05315974ebc9b4b8d47f1af9ac6c8380eae758c8e1d1bfd195311735d8a8d4e46d39e8f7155bd7521d483bee77ff
Static task
static1
Behavioral task
behavioral1
Sample
4508B79414A6EE98BADBF039ABA57A3C.exe
Resource
win7v20210410
Malware Config
Targets
-
-
Target
4508B79414A6EE98BADBF039ABA57A3C.exe
-
Size
4.2MB
-
MD5
4508b79414a6ee98badbf039aba57a3c
-
SHA1
4d40b457b656220ffe113c83931675c1fa3ec12b
-
SHA256
ce6c7f3f54f49e2e6bd10fcdae8e91a616a4234df9f694d44db8582ab1c20ed1
-
SHA512
52cdafdfb7f39f3dd9ed0c0d7584268e56ff05315974ebc9b4b8d47f1af9ac6c8380eae758c8e1d1bfd195311735d8a8d4e46d39e8f7155bd7521d483bee77ff
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
XMRig Miner Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-