General
-
Target
MultiHack STALCRAFT.exe
-
Size
2.6MB
-
Sample
221228-b38h8acb8y
-
MD5
999f1063f749669bfb2ca8b981a02fc3
-
SHA1
b7cfbea56657a13fc857ef4fc0709f90c2e00433
-
SHA256
e850c790d73622a00145c2db809cfdef073894a15f6b1ccbf64ee431b9472306
-
SHA512
2695ba800010e688e4656f209a91f666b60859d1d28bba5ffd941fc7532385360a90362882c1564dd21486ac0ba085d8692cd7e030d8935df02a737f811b254b
-
SSDEEP
49152:UbA30+n2mgETrv8FVKWlhzEyZqRbSMeLDH/nNycDsenl9pf0ibF7izYk:Uba2irch77YW/HfgcwClr8sRizB
Malware Config
Targets
-
-
Target
MultiHack STALCRAFT.exe
-
Size
2.6MB
-
MD5
999f1063f749669bfb2ca8b981a02fc3
-
SHA1
b7cfbea56657a13fc857ef4fc0709f90c2e00433
-
SHA256
e850c790d73622a00145c2db809cfdef073894a15f6b1ccbf64ee431b9472306
-
SHA512
2695ba800010e688e4656f209a91f666b60859d1d28bba5ffd941fc7532385360a90362882c1564dd21486ac0ba085d8692cd7e030d8935df02a737f811b254b
-
SSDEEP
49152:UbA30+n2mgETrv8FVKWlhzEyZqRbSMeLDH/nNycDsenl9pf0ibF7izYk:Uba2irch77YW/HfgcwClr8sRizB
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-