General
-
Target
1f90346558652d404562975e6398d69e7f35ececc367f030f9d0bd817f2535ed.exe
-
Size
65.0MB
-
Sample
240524-qs6n7sfh79
-
MD5
338a02ff68c87c2e7d097b380656d773
-
SHA1
ce40934e8be5b9538b39e29a071df219ea259d21
-
SHA256
1f90346558652d404562975e6398d69e7f35ececc367f030f9d0bd817f2535ed
-
SHA512
32bddf7228af9bfc96e5b5d8e231b56718d409294a923b7cbb11dc94364611b01064ec9a40a680de26dcd66b3ba54d1f234c0a7466b235147d7609b786731521
-
SSDEEP
393216:9Om3Gy/7I4ro5jnVT5Xjbu8Y1l1zbg8i:om57IYis8m1b
Static task
static1
Behavioral task
behavioral1
Sample
1f90346558652d404562975e6398d69e7f35ececc367f030f9d0bd817f2535ed.exe
Resource
win7-20240508-en
Malware Config
Targets
-
-
Target
1f90346558652d404562975e6398d69e7f35ececc367f030f9d0bd817f2535ed.exe
-
Size
65.0MB
-
MD5
338a02ff68c87c2e7d097b380656d773
-
SHA1
ce40934e8be5b9538b39e29a071df219ea259d21
-
SHA256
1f90346558652d404562975e6398d69e7f35ececc367f030f9d0bd817f2535ed
-
SHA512
32bddf7228af9bfc96e5b5d8e231b56718d409294a923b7cbb11dc94364611b01064ec9a40a680de26dcd66b3ba54d1f234c0a7466b235147d7609b786731521
-
SSDEEP
393216:9Om3Gy/7I4ro5jnVT5Xjbu8Y1l1zbg8i:om57IYis8m1b
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Disables Task Manager via registry modification
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1