General
-
Target
xv.exe
-
Size
3.4MB
-
Sample
240530-bghqnshf85
-
MD5
206f0969011e40819bcfcece99d553a2
-
SHA1
7010dbd633f55f5ba46eae803842502fc273998a
-
SHA256
c085c6939c35ebb90f365b78f1e7f142a92e4e91a1ce8538ddf3a5987a0b52d5
-
SHA512
9b8871fad697e269da27dec5a2498b34721d873eac6d3df9749b1b7d65e1c16b0499e76bdeae9161e108eeca9d05d454114c6d6d4614bb260cdd80752d396a37
-
SSDEEP
49152:ubA3jAVyB//taG2PUsUV5A6UXiEyGhjpXQovegYE1znhfocJKrJ:ubSB//tnktUV5YvFPYCzhg4KrJ
Behavioral task
behavioral1
Sample
xv.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
xv.exe
Resource
win10v2004-20240508-en
Malware Config
Targets
-
-
Target
xv.exe
-
Size
3.4MB
-
MD5
206f0969011e40819bcfcece99d553a2
-
SHA1
7010dbd633f55f5ba46eae803842502fc273998a
-
SHA256
c085c6939c35ebb90f365b78f1e7f142a92e4e91a1ce8538ddf3a5987a0b52d5
-
SHA512
9b8871fad697e269da27dec5a2498b34721d873eac6d3df9749b1b7d65e1c16b0499e76bdeae9161e108eeca9d05d454114c6d6d4614bb260cdd80752d396a37
-
SSDEEP
49152:ubA3jAVyB//taG2PUsUV5A6UXiEyGhjpXQovegYE1znhfocJKrJ:ubSB//tnktUV5YvFPYCzhg4KrJ
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Disables Task Manager via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1