General
-
Target
PornHub.exe
-
Size
303KB
-
Sample
240618-w7fzzsyclq
-
MD5
9b95850ba61105402a304d85c4b2fb63
-
SHA1
82b7de9e072659cb44c4dce2b8fef57ea2824b2f
-
SHA256
9d91cb90ecc7461de1fc59118a06ebc4adabe2d3e31c918b229a6f49e3c8c87b
-
SHA512
87828c6af036b083c0ca9bd4781b79a5be137e6a8b333b6aa81f44fba03568f743a327bf16c4b2995d42f4408f956a8846a7a2e2dd6d60ccf13418a7ff505f8c
-
SSDEEP
6144:A0JfijNKuI9z1Uf2ysujR69SLDAoqLvqKSM4OHGobVKSZ+u:A0JfijNKuI9z1UWSo8Sou
Static task
static1
Behavioral task
behavioral1
Sample
PornHub.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
PornHub.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
njrat
Platinum
LOX
127.0.0.1:17799
svchost.exe
-
reg_key
svchost.exe
-
splitter
|Ghost|
Targets
-
-
Target
PornHub.exe
-
Size
303KB
-
MD5
9b95850ba61105402a304d85c4b2fb63
-
SHA1
82b7de9e072659cb44c4dce2b8fef57ea2824b2f
-
SHA256
9d91cb90ecc7461de1fc59118a06ebc4adabe2d3e31c918b229a6f49e3c8c87b
-
SHA512
87828c6af036b083c0ca9bd4781b79a5be137e6a8b333b6aa81f44fba03568f743a327bf16c4b2995d42f4408f956a8846a7a2e2dd6d60ccf13418a7ff505f8c
-
SSDEEP
6144:A0JfijNKuI9z1Uf2ysujR69SLDAoqLvqKSM4OHGobVKSZ+u:A0JfijNKuI9z1UWSo8Sou
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1