General
-
Target
bdc2f986320facc24627b6e31ae3ff0147583b04c262a386b2043557b59d06c0
-
Size
2.3MB
-
Sample
230313-lk6a9abg2y
-
MD5
ec50388a69792d133c1298e1dceb40a6
-
SHA1
80ff3e79bc0679a0e2e91e811310e9fe59c5fcdb
-
SHA256
bdc2f986320facc24627b6e31ae3ff0147583b04c262a386b2043557b59d06c0
-
SHA512
fc1141659419b03040ce5bfb3b98c53f2ed53c49e285a68e341620c569f1aa6beb0cb17559e331af6f25a805ae70070a90787e26c4ee5474985c1cb52d04ab59
-
SSDEEP
49152:PuxU6VfbIhv2/g8nn7HoqW2m86bzBvwv+P9gB8xy2LmQKV:Wi6VzIA/gg7IR8iVgB8xybQKV
Behavioral task
behavioral1
Sample
bdc2f986320facc24627b6e31ae3ff0147583b04c262a386b2043557b59d06c0.exe
Resource
win10-20230220-en
Malware Config
Targets
-
-
Target
bdc2f986320facc24627b6e31ae3ff0147583b04c262a386b2043557b59d06c0
-
Size
2.3MB
-
MD5
ec50388a69792d133c1298e1dceb40a6
-
SHA1
80ff3e79bc0679a0e2e91e811310e9fe59c5fcdb
-
SHA256
bdc2f986320facc24627b6e31ae3ff0147583b04c262a386b2043557b59d06c0
-
SHA512
fc1141659419b03040ce5bfb3b98c53f2ed53c49e285a68e341620c569f1aa6beb0cb17559e331af6f25a805ae70070a90787e26c4ee5474985c1cb52d04ab59
-
SSDEEP
49152:PuxU6VfbIhv2/g8nn7HoqW2m86bzBvwv+P9gB8xy2LmQKV:Wi6VzIA/gg7IR8iVgB8xybQKV
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-