General
-
Target
c4e73a6963047ced86ad548cb7a572ca.exe
-
Size
12.2MB
-
Sample
230111-f4wchaae72
-
MD5
c4e73a6963047ced86ad548cb7a572ca
-
SHA1
9a983d43e8790aed5b205c87a05b034fd468a999
-
SHA256
2608011bb9bd8b7cd8ddc0790e5a6499e1a1fc53864d832804ebebc4955415bb
-
SHA512
0d806662c868f25f70aa606bcca49b047509d583047b02c76a50df2f7222c6dcff34f852d6d3dde36f8fb1af6ffafd0cee9cb1c0d258804f631bc31f59391109
-
SSDEEP
393216:siZNJQxvME6Ek5SUOKsKrdCsSjqx23BUC4:seNaxvMfJkU6odC5jRe
Static task
static1
Behavioral task
behavioral1
Sample
c4e73a6963047ced86ad548cb7a572ca.exe
Resource
win7-20221111-en
Malware Config
Targets
-
-
Target
c4e73a6963047ced86ad548cb7a572ca.exe
-
Size
12.2MB
-
MD5
c4e73a6963047ced86ad548cb7a572ca
-
SHA1
9a983d43e8790aed5b205c87a05b034fd468a999
-
SHA256
2608011bb9bd8b7cd8ddc0790e5a6499e1a1fc53864d832804ebebc4955415bb
-
SHA512
0d806662c868f25f70aa606bcca49b047509d583047b02c76a50df2f7222c6dcff34f852d6d3dde36f8fb1af6ffafd0cee9cb1c0d258804f631bc31f59391109
-
SSDEEP
393216:siZNJQxvME6Ek5SUOKsKrdCsSjqx23BUC4:seNaxvMfJkU6odC5jRe
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies security service
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Executes dropped EXE
-
Possible privilege escalation attempt
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-