General
-
Target
04bc55e59d87e74f4c0ec46372abd189.exe
-
Size
1.2MB
-
Sample
230109-vmeezsad5y
-
MD5
04bc55e59d87e74f4c0ec46372abd189
-
SHA1
b56a220ce878cc0aced7b9245e9ecc91d34595df
-
SHA256
7061c7e12d504439149ec1e7cdb81a90bb54b6f067b14e62372bfd9398df3795
-
SHA512
0fc1c2a801331149a296e060347eb6ded5eafc22b8fd5b4435f76c04b3d1a2177150319c6c6e52d992d6f7aeb2083496dfded4ddbb993f3cc363833f87e57e6d
-
SSDEEP
24576:AWFIGSbrjVGH+PZmriNz9GNTq6w1ZdTM0QfbSQk4j46oHO:PIxmxvlaO
Behavioral task
behavioral1
Sample
04bc55e59d87e74f4c0ec46372abd189.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
04bc55e59d87e74f4c0ec46372abd189.exe
Resource
win10v2004-20221111-en
Malware Config
Targets
-
-
Target
04bc55e59d87e74f4c0ec46372abd189.exe
-
Size
1.2MB
-
MD5
04bc55e59d87e74f4c0ec46372abd189
-
SHA1
b56a220ce878cc0aced7b9245e9ecc91d34595df
-
SHA256
7061c7e12d504439149ec1e7cdb81a90bb54b6f067b14e62372bfd9398df3795
-
SHA512
0fc1c2a801331149a296e060347eb6ded5eafc22b8fd5b4435f76c04b3d1a2177150319c6c6e52d992d6f7aeb2083496dfded4ddbb993f3cc363833f87e57e6d
-
SSDEEP
24576:AWFIGSbrjVGH+PZmriNz9GNTq6w1ZdTM0QfbSQk4j46oHO:PIxmxvlaO
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-