General
-
Target
Wasabi-2.0.0-windows-x64.zip
-
Size
80.1MB
-
Sample
230111-npckvafg8x
-
MD5
2cbfd51c9361d4365d172fe3df3216c4
-
SHA1
92d443091e30388a5da3d520b3727a76677f2747
-
SHA256
9b0abab903b2ed566821a42698e80ef913aed05cfff27a4401c6bafdb57967c8
-
SHA512
7920b4de60292eb49a2d1952bed7f73823ba5e0d0bdf3a274583f6640d874e896c5989491c65c91e184cb0401ed55714efa0056ca8922994b5ef00bd43d1052c
-
SSDEEP
1572864:KMZOxvtMwIGpwaysUE69BN2/THzGDsXhH7yRhVIbJCTQHm540Tm7q2e+V3Uvokuu:rc7Ieyo69BQriDC9yrVTTQG5K7VeLJuu
Static task
static1
Behavioral task
behavioral1
Sample
Wasabi-2.0.0-windows-x64.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Wasabi-2.0.0-windows-x64.exe
Resource
win10v2004-20220901-en
Malware Config
Targets
-
-
Target
Wasabi-2.0.0-windows-x64.exe
-
Size
80.2MB
-
MD5
d891a0dd3031ba640ad4ac38e637193d
-
SHA1
aa8d36b8b0df86458c4c2c584209938bfd2a21ff
-
SHA256
cabfd8d8f97582b86787a83a1dee4446d0f2e3ba4f346884c5cd6e242b61df78
-
SHA512
cd4e2db41df7a843a5bc1fa8cb0ac9778ffe315311aa19a84c1e36e122af38ff6e61d3bbe26582f508c1ecfc36b5df2a2f988ed1450d4e7c10499c319c130a6d
-
SSDEEP
1572864:fm9oNpXGKGC5kSQUwOy5NpYpnFzGl4vBzDKBbRUfJUNQxup00Hc1q8ACfH85Ckwq:e6ZG+Qoy5NoFilK9KJRxNQgv81/Apnwq
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-