General
-
Target
LegacyPhasmo.rar
-
Size
634KB
-
Sample
240603-lwsjjaaf4z
-
MD5
b2800c86cdb04d471af2a27f3f7e416a
-
SHA1
1869929454f4d0b05fb4f51d1983e30be17a28ab
-
SHA256
ac8a08a5dd79ab90a206fe5f79c6d0982a3d9f21ea23daae9e0a04a0edd65892
-
SHA512
2d0e779995ad70a6d3176bf1a23a2d3b491f107b57ab4e768dcab3fa6fb1fd908e730a9e84b920727166950164ac68c5f6a4417276e35e7b2f23dafb056ed731
-
SSDEEP
12288:oEKaaOVozcA11bqV5kJPU/HJOoP84EaLROyu5718CSJo3oLcgsa6Tp5Q5:L+zPebkiPJOoP35s1h8Zo8R695E
Behavioral task
behavioral1
Sample
LegacyPhasmo/LegacyPhasmo.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
LegacyPhasmo/LegacyPhasmo.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
LegacyPhasmo/start.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
LegacyPhasmo/start.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1239969504654655528/VeqtFqysqjPq1RBqiaPnt8f3X7OZKPfU8tkQRyN212Fwc2hm58OjrMT9W-FnzCFUxfPD
Targets
-
-
Target
LegacyPhasmo/LegacyPhasmo.exe
-
Size
495KB
-
MD5
85946e8adc17bed93bb80005f2caabe7
-
SHA1
b7941993fc3c58a9a42296b82e43f0988feb2ed9
-
SHA256
649683f80b00b62ba0979634a6935088637e8b12f91ef8260dfaafa4840d6555
-
SHA512
331cc3635905ff7673f545c7570cbaae1fa7a7b5637a610d1ce801929d67b527e88cb1e453aa4b1c402ea2565e0e5fa6729d822d38527a6bd8f8e84348c6e51c
-
SSDEEP
6144:vloZM+rIkd8g+EtXHkv/iD42LM3t74sziKrd4UB8Fb8e1mgi04OA:NoZtL+EP82LM3t74sziKrd4UBsa00
-
Detect Umbral payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
LegacyPhasmo/start.bat
-
Size
1.1MB
-
MD5
7002fdc4d02a4ed4a5a6f56bc40efcef
-
SHA1
cef5ea6d5507392e4fd5cb9511160f4882b4d8b8
-
SHA256
6fddd93899ba0f1de262aa86d1e7f4ed3df8b29e9d2b9679d42b5a81addea6f4
-
SHA512
d5859012071a604563d96c8cffb9a5f12ae5a085b0160d3e90de140bd50c752d97287c1810140d72bf2404880fecd8332a458005e5e8052f5ad74cf11f12a538
-
SSDEEP
24576:U2G/nvxW3Ww0t6eSgFX3x5aC6FRMzpC6nHZW/n:UbA306e9FTtYeP0P
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-