General
-
Target
898a94f29edc228ce3bd2054f3d5d6dd.bin
-
Size
3.6MB
-
Sample
240505-bvm8bade58
-
MD5
113d95e01eca6b087685fd31d893067d
-
SHA1
5946a14101c4c6421dbba75ac436d46a48a90756
-
SHA256
4174a9073fea7b22d8a973e2891d996b7d5b0eb94a85c538cd7da1a2c4c1e9c7
-
SHA512
949f38260d74e1e10327cf225d8781ced706572ede98a32dfeee6bd12d32dd2c354f0d0ff24fae3ff6b02cf285afbba8456987735ef2e5af81fd54bd5bda0858
-
SSDEEP
98304:+Yt7aeUqcE/zM0KJ3UCACEuvS67P1ZwtzKDIXp7Qnb:T7PUqlLVKJkvCEua6IoMXp7Qb
Static task
static1
Behavioral task
behavioral1
Sample
a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe
Resource
win7-20240221-en
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1229451067175997500/jIKKpDize9BATyGRwJszp_dngrLcH2ykCNVKA2g8DaU3tS2rFJtimCYVQM10Zmvy_yF-
Targets
-
-
Target
a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe
-
Size
4.3MB
-
MD5
898a94f29edc228ce3bd2054f3d5d6dd
-
SHA1
f2b5d32ca5520f35a738ef1ccbbf5fb2160bfbc5
-
SHA256
a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37
-
SHA512
8a7ee18864b118bd165b9f97aad3d188cd51985180feedf5c32c2f5acd6d427f05b7e6077a9c0c405bd152a203086203aa306db802e13f917c04040c4b789eae
-
SSDEEP
49152:ENPuAcWILneTm53Oln3Gl1iy92HEs/sFZ583oMLmUZ8hXyaSvgIsR1SB:ENP0WILeTm5+l2lb40r5837L8iVvIvQ
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Umbral payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-