General
-
Target
b2342e0ebf939d7d7e81ff782b4539b84fed2ca4e418e965f0cb8552a860fe5c
-
Size
149KB
-
Sample
230217-tz8nxsfg9t
-
MD5
6701afef3227aa7daa28f8a416981a2f
-
SHA1
fea537b3cee11bcc2b3eb5eb68636124b2c8b985
-
SHA256
b2342e0ebf939d7d7e81ff782b4539b84fed2ca4e418e965f0cb8552a860fe5c
-
SHA512
eb3d60095245e11f545c85763fd9cb24dc0eaab72feb463f29b4393b307b541fae8525401b893c31aef5355a8ee440d95544983b606e1377adbab8b89b020535
-
SSDEEP
3072:rNCFuCMZ69PLIA9oeWzPybSDljAc11koaAL9a3UhoG:rgFuzZ690Blza2BAc1KDAL9a3Qo
Static task
static1
Behavioral task
behavioral1
Sample
b2342e0ebf939d7d7e81ff782b4539b84fed2ca4e418e965f0cb8552a860fe5c.exe
Resource
win10v2004-20220901-en
Malware Config
Targets
-
-
Target
b2342e0ebf939d7d7e81ff782b4539b84fed2ca4e418e965f0cb8552a860fe5c
-
Size
149KB
-
MD5
6701afef3227aa7daa28f8a416981a2f
-
SHA1
fea537b3cee11bcc2b3eb5eb68636124b2c8b985
-
SHA256
b2342e0ebf939d7d7e81ff782b4539b84fed2ca4e418e965f0cb8552a860fe5c
-
SHA512
eb3d60095245e11f545c85763fd9cb24dc0eaab72feb463f29b4393b307b541fae8525401b893c31aef5355a8ee440d95544983b606e1377adbab8b89b020535
-
SSDEEP
3072:rNCFuCMZ69PLIA9oeWzPybSDljAc11koaAL9a3UhoG:rgFuzZ690Blza2BAc1KDAL9a3Qo
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detects Smokeloader packer
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Sets file execution options in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Registers COM server for autorun
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-