General
-
Target
fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8
-
Size
2.7MB
-
Sample
240516-gfpqgsed5v
-
MD5
a78d0c51cca6fcf4a6ef0c33e5fd0bd4
-
SHA1
5768a7cf4aeed1327d64087f55fc6fba34f817fd
-
SHA256
fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8
-
SHA512
a3d3c48766afe5890562f0e86f5c44bf62beefebcf8f87dfc5065ba53ecae6cb8f9e4f441ac87ec5359170c08792fc784e9187366cb7c9a64fc6eb4c90e250c5
-
SSDEEP
49152:iH64y2XDuLlIY14o9/yDzr1xJ8XbRrC9mWvR08Yv7yP3GcY:iHfE5Ad8Xd295UmGc
Behavioral task
behavioral1
Sample
fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe
Resource
win10v2004-20240426-en
Malware Config
Targets
-
-
Target
fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8
-
Size
2.7MB
-
MD5
a78d0c51cca6fcf4a6ef0c33e5fd0bd4
-
SHA1
5768a7cf4aeed1327d64087f55fc6fba34f817fd
-
SHA256
fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8
-
SHA512
a3d3c48766afe5890562f0e86f5c44bf62beefebcf8f87dfc5065ba53ecae6cb8f9e4f441ac87ec5359170c08792fc784e9187366cb7c9a64fc6eb4c90e250c5
-
SSDEEP
49152:iH64y2XDuLlIY14o9/yDzr1xJ8XbRrC9mWvR08Yv7yP3GcY:iHfE5Ad8Xd295UmGc
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Detects executables packed with SmartAssembly
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1