General
-
Target
11def98517c93e2a955df827ed88a3a2.bin
-
Size
18.7MB
-
Sample
230116-xms99abf84
-
MD5
11def98517c93e2a955df827ed88a3a2
-
SHA1
12d175a93a7b161bd8d4d6b489e95f15e34ad283
-
SHA256
9a9ac0169117b67557d8ba9932d908df0df543542a649e16db365c2c4d9829cb
-
SHA512
de189488e83e72ec79829325454584b452f3ebec54f81f9de804e590bd8e6f086c7709d504cc2b4e8a4e16fa27e64eedda963c51a60440bb71a9a842d8bd4130
-
SSDEEP
393216:A2lbkeGJYGzcQBWCZ5rbfo0yAoRu0fDzsg4wTIxxqFSGUpDjC4RXBLs8nt0n:AZeGJR3IqWA+7zF4wTHYGUplBLsf
Behavioral task
behavioral1
Sample
a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
tmp.exe
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
tmp.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral5
Sample
tmp.exe
Resource
win7-20220901-en
Behavioral task
behavioral6
Sample
tmp.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral7
Sample
e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe
Resource
win7-20221111-en
Behavioral task
behavioral8
Sample
e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
http://45.81.224.130/any.exe
Targets
-
-
Target
a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56
-
Size
1.7MB
-
MD5
c090c2077f7c71e38f4b7fedfe0ef1e3
-
SHA1
2d01b3e7f9f80961aa6bada443a5d969bf88c052
-
SHA256
a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56
-
SHA512
150d46cd92ab52985ee1cfa197ecfb50fe83c3d7070b99ffd187e72582b6b539e63edb990dc820882a900f446512c391557848568c35d57382abb48207e0d028
-
SSDEEP
24576:U2G/nvxW3Ww0tjWmsIUvGdf4wNKfgo9WB4E/rR9NVGIoUtcrneDa0kPs/MQdb6Of:UbA30jW9vgwrng9EIZyqa0esNnN5P
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
-
-
Target
tmp
-
Size
15.7MB
-
MD5
5c9360467aba93db8eaa351b62b93afc
-
SHA1
cef8b31d41b2eb3bd1c1454a96afc43911db85ab
-
SHA256
b49c294afa4366bf02faccce77dedf2c9ba3d4aa4073c13fe22bd202821d94e6
-
SHA512
133dc14f6df1d898e968a09d4a60a32345a252031f57bb250674b98b38e338170f9b3e88b00c88acd5f7a3da72d58a078ae52b175af0c6e41e4ccc72f93538cb
-
SSDEEP
393216:U81/eXkkM7cGGBNpuXKhBqJ0CEZsXVqNIyc2KBcr27eEHTPI:U86MihuXCBe0CEYqNIygdrI
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence
-
Modifies security service
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Possible privilege escalation attempt
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
-
-
Target
tmp
-
Size
1.1MB
-
MD5
1466f001f010dfed5838484c2fb25a56
-
SHA1
489c707fd9d43574e536b4da4f15d3965d57c2fc
-
SHA256
d3c18746bd2a2cb25e714a40be7a3e94d5bab0d924db7160ef8cc82a7f0848bc
-
SHA512
35fb65a70892c86f3e8ae97e84648d089e7bad8ff567503d2322d24fbee953a7ccef49611c8e4ad98b29cd0b926699a48d11a10c189e7e903dcb529ed23a75e0
-
SSDEEP
12288:4epPM2lx+HOqRo1lEBht1ylUyeewN3eJE3/oZ4DFWX4DBYFn9ducCSLEelT+wsHu:X0Vey/Olg5pwZesvCStZsbqSNz6
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-
-
-
Target
e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458
-
Size
1.3MB
-
MD5
adde6baef89ebb01b5e60f15610ba470
-
SHA1
edc49b43aa822b754ee617db11c3ffc1a3e79ec1
-
SHA256
e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458
-
SHA512
89ebfaafca6347cced23fd73aee44483118d4806c339048df9ba9da5f775f84ce6b6876a8399617abfbf1ae23cfd0b78825f85f50efdcc2c9e3c88cb8e122a30
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-