General
-
Target
6c1f5d8c88959accc79396696fca4f40_NeikiAnalytics.exe
-
Size
3.0MB
-
Sample
240517-a29jfshe21
-
MD5
6c1f5d8c88959accc79396696fca4f40
-
SHA1
0d3d0aa5a6d57f6d6b4878fd8bb8a74abcfbf7f6
-
SHA256
6010d342cb5d71301a5f43312c4d11e844f85cb3e8b84152a85fbdfbe0594d12
-
SHA512
24f1f222587a9d30d268970f9d8838228ebb7d983443b8c2f1d1ac75181310ab8fa70358f1963391b2c3e368bc9eb74abca8b53d36e1bc3ad43a7efda1b38c82
-
SSDEEP
49152:AZ2fRPDpkR3/hESpjo4uLDI3KoSPq3cXtFvOUcx3twYvr0G56/FBwzpTZoKh:07ZJ89LDSKrq3iGnnw+1YXw9OK
Static task
static1
Behavioral task
behavioral1
Sample
6c1f5d8c88959accc79396696fca4f40_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
6c1f5d8c88959accc79396696fca4f40_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
Malware Config
Targets
-
-
Target
6c1f5d8c88959accc79396696fca4f40_NeikiAnalytics.exe
-
Size
3.0MB
-
MD5
6c1f5d8c88959accc79396696fca4f40
-
SHA1
0d3d0aa5a6d57f6d6b4878fd8bb8a74abcfbf7f6
-
SHA256
6010d342cb5d71301a5f43312c4d11e844f85cb3e8b84152a85fbdfbe0594d12
-
SHA512
24f1f222587a9d30d268970f9d8838228ebb7d983443b8c2f1d1ac75181310ab8fa70358f1963391b2c3e368bc9eb74abca8b53d36e1bc3ad43a7efda1b38c82
-
SSDEEP
49152:AZ2fRPDpkR3/hESpjo4uLDI3KoSPq3cXtFvOUcx3twYvr0G56/FBwzpTZoKh:07ZJ89LDSKrq3iGnnw+1YXw9OK
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-