General
-
Target
34cb7fca8cb671327865d0bcf6de72bc.bin
-
Size
11.4MB
-
Sample
240622-ddh85svalg
-
MD5
d8c92e1211d2e4874d4d387a62c27162
-
SHA1
48b84ec93cb6a623be6a0b6fd197eca7adc04b44
-
SHA256
cbac572ff3187a962ec8c1964f77af891fc5d1a54c59cb5bb68286dbc66c27af
-
SHA512
3b9c8a417c114af01ae22422fbf1398dacbccbf7be98b7226302708e430528bb38a3797f233361758d9f18dd89a115607200bdbbaf914ddf1861a75efe10d8f4
-
SSDEEP
196608:axM6zDC266nOq/nYv1Fxpv2QMi54Yg/LmxhZO1Wdr1BsErjQguaDouJxCa0tqMUS:ay+DC26xq/n6O3pByxhZOM1+EXQgbk2C
Static task
static1
Behavioral task
behavioral1
Sample
a6a27d9ba682a107558cdb16fcd50ebbe3d112c8dab38e96d5926c522781cc81.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
a6a27d9ba682a107558cdb16fcd50ebbe3d112c8dab38e96d5926c522781cc81.exe
Resource
win10v2004-20240611-en
Malware Config
Targets
-
-
Target
a6a27d9ba682a107558cdb16fcd50ebbe3d112c8dab38e96d5926c522781cc81.exe
-
Size
11.4MB
-
MD5
34cb7fca8cb671327865d0bcf6de72bc
-
SHA1
f0b1cedace31b386c893530e6dce75c2ecfef083
-
SHA256
a6a27d9ba682a107558cdb16fcd50ebbe3d112c8dab38e96d5926c522781cc81
-
SHA512
a09a2fd355e0e7f7a7bf0c25fee3300d7e695f1871514181aef6cb7c5d9f085f6a3003cfea423ad3c79d1b463b2dd3e323c84ae6d8e352483270ee20e520d373
-
SSDEEP
196608:gcoxkLeUoO9/jmTUkXBnG9u21tvj0brnXiT8QPLaUQrsl2az0Desq3UOF2iQsmR3:rjLQO/64kBUu2vvjU2Tr+UfIaz0DgV2P
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Hide Artifacts: Hidden Files and Directories
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Virtualization/Sandbox Evasion
1