General
-
Target
New Client.exe
-
Size
178KB
-
Sample
240622-r5z8masblg
-
MD5
1889ac6b7826d878d00cd26083cd42f7
-
SHA1
8514faaeea994385f78b1ded818dd14b2ccf4526
-
SHA256
9e4e496db20db336f254e3ac6cadc64d8d8fd4cb67f41ea344a07fcf7a0838e3
-
SHA512
16e202f1599a4e62eb2e6d7d20672040411bc14b122af23dbfe778faac84ce2da809b5a16501d46313582003c7a82f730db3b58b544d716db42b9741dadc2e3d
-
SSDEEP
3072:hNscw0oN36tKQviFCcRBnjfWl9zPaF9bcYvMl4NpVq8BxFRzaqF+o2GQJ7/JzqVy:hsY9zkvMlgVqwlL
Behavioral task
behavioral1
Sample
New Client.exe
Resource
win10-20240404-en
Malware Config
Extracted
njrat
Platinum
LOX
127.0.0.1:14500
Word.exe
-
reg_key
Word.exe
-
splitter
|Ghost|
Targets
-
-
Target
New Client.exe
-
Size
178KB
-
MD5
1889ac6b7826d878d00cd26083cd42f7
-
SHA1
8514faaeea994385f78b1ded818dd14b2ccf4526
-
SHA256
9e4e496db20db336f254e3ac6cadc64d8d8fd4cb67f41ea344a07fcf7a0838e3
-
SHA512
16e202f1599a4e62eb2e6d7d20672040411bc14b122af23dbfe778faac84ce2da809b5a16501d46313582003c7a82f730db3b58b544d716db42b9741dadc2e3d
-
SSDEEP
3072:hNscw0oN36tKQviFCcRBnjfWl9zPaF9bcYvMl4NpVq8BxFRzaqF+o2GQJ7/JzqVy:hsY9zkvMlgVqwlL
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1