General
-
Target
TechnicalFreeWoofer.exe
-
Size
14KB
-
Sample
240303-tgr88adc42
-
MD5
fe93af586c138d3cfa13cee1361380ba
-
SHA1
09059ef2b2656514a25abe01f63f8604d8108287
-
SHA256
d05d1bb76fdf811f988e61f21e73fdb0090064b9df79c8466b5d28b0fdcef1cf
-
SHA512
a4759f443c103c552fd228a034d72f454e952a138272f0deb81ff131ac9b021212ea889150534f75164e6171edda01c640a5ef4035f06273dde17a4c900f462d
-
SSDEEP
384:krsPzmIJ3MGNPS0952hqw39MMEptYcFwVc03K:krsrmw3q09Uhqw39MMAtYcFwVc6K
Static task
static1
Behavioral task
behavioral1
Sample
TechnicalFreeWoofer.exe
Resource
win7-20240215-en
Malware Config
Extracted
gozi
Targets
-
-
Target
TechnicalFreeWoofer.exe
-
Size
14KB
-
MD5
fe93af586c138d3cfa13cee1361380ba
-
SHA1
09059ef2b2656514a25abe01f63f8604d8108287
-
SHA256
d05d1bb76fdf811f988e61f21e73fdb0090064b9df79c8466b5d28b0fdcef1cf
-
SHA512
a4759f443c103c552fd228a034d72f454e952a138272f0deb81ff131ac9b021212ea889150534f75164e6171edda01c640a5ef4035f06273dde17a4c900f462d
-
SSDEEP
384:krsPzmIJ3MGNPS0952hqw39MMEptYcFwVc03K:krsrmw3q09Uhqw39MMAtYcFwVc6K
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1