General
-
Target
cebf37f2fab89b80a422bdc1e8bde591fd7b05a3e3cd72d7181ae49d8332a445
-
Size
149KB
-
Sample
230217-1x2adshb6x
-
MD5
932c74304b16cf546adfc4c1e7b8908a
-
SHA1
083698ced09892795e485afcd3182d44734b1c69
-
SHA256
cebf37f2fab89b80a422bdc1e8bde591fd7b05a3e3cd72d7181ae49d8332a445
-
SHA512
d2e113596ffe3138b3b7c62e7ba579860a711e876800bc67da88f8c23cb168f6983eb6bfc9962a9fc1e56dfc354f20788709089f44fc5876ac62456704504771
-
SSDEEP
3072:xFspHvXz3KRBFDE2jyStDq6FmoHhCxLVcxf5SbCcJwiN:4JvXbKR82GKDq6DHhCpCj2C8wi
Static task
static1
Behavioral task
behavioral1
Sample
cebf37f2fab89b80a422bdc1e8bde591fd7b05a3e3cd72d7181ae49d8332a445.exe
Resource
win10v2004-20220901-en
Malware Config
Targets
-
-
Target
cebf37f2fab89b80a422bdc1e8bde591fd7b05a3e3cd72d7181ae49d8332a445
-
Size
149KB
-
MD5
932c74304b16cf546adfc4c1e7b8908a
-
SHA1
083698ced09892795e485afcd3182d44734b1c69
-
SHA256
cebf37f2fab89b80a422bdc1e8bde591fd7b05a3e3cd72d7181ae49d8332a445
-
SHA512
d2e113596ffe3138b3b7c62e7ba579860a711e876800bc67da88f8c23cb168f6983eb6bfc9962a9fc1e56dfc354f20788709089f44fc5876ac62456704504771
-
SSDEEP
3072:xFspHvXz3KRBFDE2jyStDq6FmoHhCxLVcxf5SbCcJwiN:4JvXbKR82GKDq6DHhCpCj2C8wi
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detects Smokeloader packer
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-