General
-
Target
87cd55f5b4dff94e4339b43efb54aa329491bf97ac8b483c2de734c1511303b7
-
Size
149KB
-
Sample
230217-wh9k1agf67
-
MD5
44ec25472db6fee472da351f487dc468
-
SHA1
ec1213cf3c2e4cfb59d6c5939cec70127ae5089a
-
SHA256
87cd55f5b4dff94e4339b43efb54aa329491bf97ac8b483c2de734c1511303b7
-
SHA512
5a19e138bb7233701d1b4d00d135e95741f3cf2294458ce393ad2de11642a15382efaff94eb6563969fb60663e3606f59f92756900d3f4b37d8f928d89f262e6
-
SSDEEP
3072:eEChCvRP0UwWtirLOFtugxs3zobkeZOo3:e5hCvFvwsxFEg63wKo
Static task
static1
Malware Config
Targets
-
-
Target
87cd55f5b4dff94e4339b43efb54aa329491bf97ac8b483c2de734c1511303b7
-
Size
149KB
-
MD5
44ec25472db6fee472da351f487dc468
-
SHA1
ec1213cf3c2e4cfb59d6c5939cec70127ae5089a
-
SHA256
87cd55f5b4dff94e4339b43efb54aa329491bf97ac8b483c2de734c1511303b7
-
SHA512
5a19e138bb7233701d1b4d00d135e95741f3cf2294458ce393ad2de11642a15382efaff94eb6563969fb60663e3606f59f92756900d3f4b37d8f928d89f262e6
-
SSDEEP
3072:eEChCvRP0UwWtirLOFtugxs3zobkeZOo3:e5hCvFvwsxFEg63wKo
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detects Smokeloader packer
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-