General
-
Target
injector.exe
-
Size
4.1MB
-
Sample
230328-d992qsaf51
-
MD5
05baef98bd302a685a7b0412341223ad
-
SHA1
3808f40778dd09ca2437e531725a48f1cbc34a50
-
SHA256
aa87eead64e484f0a37e6f0420b9b327eb983edc4f417b51b1ecd400bddd7c41
-
SHA512
93e5f1c5176c473823bcb5e9ecbfffdd789962b401dbd7f7212126dcd3613f3a8a9005eee175590c4040b7a39c7288e3c47028700f579ab85d5b8b67c3d1cdaf
-
SSDEEP
98304:phfEZMB8SQTr3cEA6Ql2GyzXCNHmCWK4DYq5Ek:/fEZQ8NTrMB6QlozyOYqWk
Behavioral task
behavioral1
Sample
injector.exe
Resource
win7-20230220-en
Malware Config
Targets
-
-
Target
injector.exe
-
Size
4.1MB
-
MD5
05baef98bd302a685a7b0412341223ad
-
SHA1
3808f40778dd09ca2437e531725a48f1cbc34a50
-
SHA256
aa87eead64e484f0a37e6f0420b9b327eb983edc4f417b51b1ecd400bddd7c41
-
SHA512
93e5f1c5176c473823bcb5e9ecbfffdd789962b401dbd7f7212126dcd3613f3a8a9005eee175590c4040b7a39c7288e3c47028700f579ab85d5b8b67c3d1cdaf
-
SSDEEP
98304:phfEZMB8SQTr3cEA6Ql2GyzXCNHmCWK4DYq5Ek:/fEZQ8NTrMB6QlozyOYqWk
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-