General
-
Target
47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e
-
Size
3.7MB
-
Sample
240513-zsjn4sde6x
-
MD5
3aff466445051bd93a7ea3ae519587ef
-
SHA1
516c1e9da912f6d988146fb812d88bdc7b30588a
-
SHA256
47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e
-
SHA512
3870bd70e038bb27035eec3eb8bd8f88c2bb720f59dd5283e2bc095f540e3ab4d6e991d7a601b4d809d8de7e7592d2010c41cf57b708ea2f42a5323353a8338f
-
SSDEEP
49152:UbA30nPNSHQAjwNVYyHycT6JYRAwWPScqhWtkOTwol8FxMQFQnSMvTklif/:UbhwTNJytcqgtkzoEOSMvTwif/
Behavioral task
behavioral1
Sample
47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe
Resource
win10v2004-20240226-en
Malware Config
Targets
-
-
Target
47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e
-
Size
3.7MB
-
MD5
3aff466445051bd93a7ea3ae519587ef
-
SHA1
516c1e9da912f6d988146fb812d88bdc7b30588a
-
SHA256
47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e
-
SHA512
3870bd70e038bb27035eec3eb8bd8f88c2bb720f59dd5283e2bc095f540e3ab4d6e991d7a601b4d809d8de7e7592d2010c41cf57b708ea2f42a5323353a8338f
-
SSDEEP
49152:UbA30nPNSHQAjwNVYyHycT6JYRAwWPScqhWtkOTwol8FxMQFQnSMvTklif/:UbhwTNJytcqgtkzoEOSMvTwif/
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Detects executables packed with SmartAssembly
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1