General
-
Target
032a8cb34ca539454b0bf8309fb93010db415d19c853157d15eb8f6e7951f4de
-
Size
194KB
-
Sample
221115-t34jdaaf3w
-
MD5
fc5e564e04fc310223bda03612f6bbe5
-
SHA1
4516b8ce9db5978862018c7f807e34dc0d3d990e
-
SHA256
032a8cb34ca539454b0bf8309fb93010db415d19c853157d15eb8f6e7951f4de
-
SHA512
2df4df7198b9c2607d601cf2cba4add5183c716f5911eaa6ac865aae9bdab5b2bcc63c1b4a88f6f65fa4a8aec81e2137614be18ed7d6ba959351863a58b3df76
-
SSDEEP
3072:Kq27jJ5NHaIlgtwuyT5aWMZiS6rJNnNTsIGO4TARz:upj1jT57PrJNN9
Static task
static1
Behavioral task
behavioral1
Sample
032a8cb34ca539454b0bf8309fb93010db415d19c853157d15eb8f6e7951f4de.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
raccoon
dbffbdbc9786a5c270e6dd2d647e18ea
http://79.137.205.87/
Targets
-
-
Target
032a8cb34ca539454b0bf8309fb93010db415d19c853157d15eb8f6e7951f4de
-
Size
194KB
-
MD5
fc5e564e04fc310223bda03612f6bbe5
-
SHA1
4516b8ce9db5978862018c7f807e34dc0d3d990e
-
SHA256
032a8cb34ca539454b0bf8309fb93010db415d19c853157d15eb8f6e7951f4de
-
SHA512
2df4df7198b9c2607d601cf2cba4add5183c716f5911eaa6ac865aae9bdab5b2bcc63c1b4a88f6f65fa4a8aec81e2137614be18ed7d6ba959351863a58b3df76
-
SSDEEP
3072:Kq27jJ5NHaIlgtwuyT5aWMZiS6rJNnNTsIGO4TARz:upj1jT57PrJNN9
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Amadey credential stealer module
-
Detects Smokeloader packer
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-