General
-
Target
a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe
-
Size
4.3MB
-
Sample
240504-bz4e4ach56
-
MD5
898a94f29edc228ce3bd2054f3d5d6dd
-
SHA1
f2b5d32ca5520f35a738ef1ccbbf5fb2160bfbc5
-
SHA256
a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37
-
SHA512
8a7ee18864b118bd165b9f97aad3d188cd51985180feedf5c32c2f5acd6d427f05b7e6077a9c0c405bd152a203086203aa306db802e13f917c04040c4b789eae
-
SSDEEP
49152:ENPuAcWILneTm53Oln3Gl1iy92HEs/sFZ583oMLmUZ8hXyaSvgIsR1SB:ENP0WILeTm5+l2lb40r5837L8iVvIvQ
Static task
static1
Behavioral task
behavioral1
Sample
a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe
Resource
win7-20240221-en
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1229451067175997500/jIKKpDize9BATyGRwJszp_dngrLcH2ykCNVKA2g8DaU3tS2rFJtimCYVQM10Zmvy_yF-
Targets
-
-
Target
a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe
-
Size
4.3MB
-
MD5
898a94f29edc228ce3bd2054f3d5d6dd
-
SHA1
f2b5d32ca5520f35a738ef1ccbbf5fb2160bfbc5
-
SHA256
a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37
-
SHA512
8a7ee18864b118bd165b9f97aad3d188cd51985180feedf5c32c2f5acd6d427f05b7e6077a9c0c405bd152a203086203aa306db802e13f917c04040c4b789eae
-
SSDEEP
49152:ENPuAcWILneTm53Oln3Gl1iy92HEs/sFZ583oMLmUZ8hXyaSvgIsR1SB:ENP0WILeTm5+l2lb40r5837L8iVvIvQ
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Umbral payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Detects executables attemping to enumerate video devices using WMI
-
Detects executables containing possible sandbox analysis VM names
-
Detects executables containing possible sandbox analysis VM usernames
-
Detects executables containing possible sandbox system UUIDs
-
Detects executables packed with SmartAssembly
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-