General
-
Target
Loader.exe
-
Size
1.7MB
-
Sample
210728-fbeg18jy2a
-
MD5
e44153fbc8eb2869e5eed232cf084427
-
SHA1
844d785dc829228f34bd4c77c27ce6a87766f287
-
SHA256
75739212f39d025329e1c4594f8e2b5be07402bef199b342b459d88bfeaf88cb
-
SHA512
0034dc469c601cb8688241dcfb4afc36761d536d4d252f58083105afc97b9c460f39764cf142cd03f71b008c3391c28fd4585b58502a31919f8735b25692097c
Malware Config
Targets
-
-
Target
Loader.exe
-
Size
1.7MB
-
MD5
e44153fbc8eb2869e5eed232cf084427
-
SHA1
844d785dc829228f34bd4c77c27ce6a87766f287
-
SHA256
75739212f39d025329e1c4594f8e2b5be07402bef199b342b459d88bfeaf88cb
-
SHA512
0034dc469c601cb8688241dcfb4afc36761d536d4d252f58083105afc97b9c460f39764cf142cd03f71b008c3391c28fd4585b58502a31919f8735b25692097c
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-