General
-
Target
1d6590415fa189e9c982e883dc3bcdde.bin
-
Size
3.3MB
-
Sample
240326-bw5hzsbc85
-
MD5
d097b2409df120b2407e624bedfad9c3
-
SHA1
0312440efd39ef78ac8042243aab3bd4c732753d
-
SHA256
ebb63a7970ae2ca874bb92352e3aef098a8db5d181c30ed20a071b2c5fa6994a
-
SHA512
aa4737da672d4c2abd49b13fa219c41b7d5ba0668b18a7e525e8e9bd499bba3b896dc2b73923fe2f2cdd53d9ec4cfcdb368c859cea133ad9af6d32a316417c93
-
SSDEEP
98304:XOnQfD8J7sYAgrk0Hv3cw0qiLpmodfVUYWJiG:GQSswkw3Hi1gYWAG
Static task
static1
Behavioral task
behavioral1
Sample
7803d28b1cfcb0c4f3a63515fea88508357e02dc2ee982f7ff1f0c2f40af3649.exe
Resource
win7-20240215-en
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1219193245557325834/Pny7ckgnLuo9kv28SEntCevPyhBWlY4AfJu4MogOozH9-s-mNnQ7UZJcF1RdHsmmAwgC
Targets
-
-
Target
7803d28b1cfcb0c4f3a63515fea88508357e02dc2ee982f7ff1f0c2f40af3649.exe
-
Size
3.3MB
-
MD5
1d6590415fa189e9c982e883dc3bcdde
-
SHA1
8261a5718af6eb9ebee4e822e5bd0138f7915dc3
-
SHA256
7803d28b1cfcb0c4f3a63515fea88508357e02dc2ee982f7ff1f0c2f40af3649
-
SHA512
304611cfa8c130dde5e4de5282d3d92a555b85d50889ea097dec9908d619c7d36ec28886c64aa0364d631c289d9bbf509c0ea0aeb7887c92fd91ee3d7834d07e
-
SSDEEP
98304:oZ1HRsp8NbXaaIptoNMrF4NOgmwCof84h:oZVIaIpeOrmNOTwCol
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Umbral payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1