General
-
Target
705e9d3021467e35dd43057a8e412e0eddb04603eb344ac4a31c3650f751aa14
-
Size
150KB
-
Sample
230217-zf7keahd42
-
MD5
0325ec4dc777b79587a835850fb9ee72
-
SHA1
d764e57392b7b547887afd713a1962853f2c9620
-
SHA256
705e9d3021467e35dd43057a8e412e0eddb04603eb344ac4a31c3650f751aa14
-
SHA512
7edcdd871752c14babd0ebf6fced4e59bf92c953710c4f1bd6f8dc22ed2768c6e4b4f2e382d7f89ad87c93b00273f86c786d4b2fe9f16a0205764e3387a1a685
-
SSDEEP
3072:1FsoVrqI7B2FDEeSs/quhQRiNoxaFzFzXGGxg:Uarv7B1eS5XRfxQyGx
Static task
static1
Behavioral task
behavioral1
Sample
705e9d3021467e35dd43057a8e412e0eddb04603eb344ac4a31c3650f751aa14.exe
Resource
win10v2004-20221111-en
Malware Config
Targets
-
-
Target
705e9d3021467e35dd43057a8e412e0eddb04603eb344ac4a31c3650f751aa14
-
Size
150KB
-
MD5
0325ec4dc777b79587a835850fb9ee72
-
SHA1
d764e57392b7b547887afd713a1962853f2c9620
-
SHA256
705e9d3021467e35dd43057a8e412e0eddb04603eb344ac4a31c3650f751aa14
-
SHA512
7edcdd871752c14babd0ebf6fced4e59bf92c953710c4f1bd6f8dc22ed2768c6e4b4f2e382d7f89ad87c93b00273f86c786d4b2fe9f16a0205764e3387a1a685
-
SSDEEP
3072:1FsoVrqI7B2FDEeSs/quhQRiNoxaFzFzXGGxg:Uarv7B1eS5XRfxQyGx
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detects Smokeloader packer
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-