General
-
Target
7803d28b1cfcb0c4f3a63515fea88508357e02dc2ee982f7ff1f0c2f40af3649.exe
-
Size
3.3MB
-
Sample
240325-cn3j4agc5z
-
MD5
1d6590415fa189e9c982e883dc3bcdde
-
SHA1
8261a5718af6eb9ebee4e822e5bd0138f7915dc3
-
SHA256
7803d28b1cfcb0c4f3a63515fea88508357e02dc2ee982f7ff1f0c2f40af3649
-
SHA512
304611cfa8c130dde5e4de5282d3d92a555b85d50889ea097dec9908d619c7d36ec28886c64aa0364d631c289d9bbf509c0ea0aeb7887c92fd91ee3d7834d07e
-
SSDEEP
98304:oZ1HRsp8NbXaaIptoNMrF4NOgmwCof84h:oZVIaIpeOrmNOTwCol
Static task
static1
Behavioral task
behavioral1
Sample
7803d28b1cfcb0c4f3a63515fea88508357e02dc2ee982f7ff1f0c2f40af3649.exe
Resource
win7-20240220-en
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1219193245557325834/Pny7ckgnLuo9kv28SEntCevPyhBWlY4AfJu4MogOozH9-s-mNnQ7UZJcF1RdHsmmAwgC
Targets
-
-
Target
7803d28b1cfcb0c4f3a63515fea88508357e02dc2ee982f7ff1f0c2f40af3649.exe
-
Size
3.3MB
-
MD5
1d6590415fa189e9c982e883dc3bcdde
-
SHA1
8261a5718af6eb9ebee4e822e5bd0138f7915dc3
-
SHA256
7803d28b1cfcb0c4f3a63515fea88508357e02dc2ee982f7ff1f0c2f40af3649
-
SHA512
304611cfa8c130dde5e4de5282d3d92a555b85d50889ea097dec9908d619c7d36ec28886c64aa0364d631c289d9bbf509c0ea0aeb7887c92fd91ee3d7834d07e
-
SSDEEP
98304:oZ1HRsp8NbXaaIptoNMrF4NOgmwCof84h:oZVIaIpeOrmNOTwCol
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Umbral payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Detects executables attemping to enumerate video devices using WMI
-
Detects executables containing possible sandbox analysis VM names
-
Detects executables containing possible sandbox analysis VM usernames
-
Detects executables containing possible sandbox system UUIDs
-
Detects executables packed with SmartAssembly
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1