General
-
Target
ROBLOXFARMER.exe
-
Size
1.9MB
-
Sample
240722-2np2faseqd
-
MD5
0cdc894447aa85d4b2c744c6825a2e0e
-
SHA1
a4fcb12fcfaa38c8656964749962c9cdc2b9d82d
-
SHA256
d89a9ab35a2173a4ec62cc98d54e2ffbff2f0d985386f98a8e11c5dc905bcb83
-
SHA512
b8be16d455166089c7463ea876bfc293cbb851a86bb0846427c0ad1e70e1e978531031e04064c1287d1aafebf01da32b605d6039ef1f33dc4a48a49ddca7dedd
-
SSDEEP
24576:u2G/nvxW3WieCgbyFbFdG74xU/FmYd3y7uQyBOueO9SEU5/UpdnrZ4Ef2w18:ubA3jgCgW+jxy79uz9SEWBCC
Behavioral task
behavioral1
Sample
ROBLOXFARMER.exe
Resource
win10-20240404-en
Malware Config
Targets
-
-
Target
ROBLOXFARMER.exe
-
Size
1.9MB
-
MD5
0cdc894447aa85d4b2c744c6825a2e0e
-
SHA1
a4fcb12fcfaa38c8656964749962c9cdc2b9d82d
-
SHA256
d89a9ab35a2173a4ec62cc98d54e2ffbff2f0d985386f98a8e11c5dc905bcb83
-
SHA512
b8be16d455166089c7463ea876bfc293cbb851a86bb0846427c0ad1e70e1e978531031e04064c1287d1aafebf01da32b605d6039ef1f33dc4a48a49ddca7dedd
-
SSDEEP
24576:u2G/nvxW3WieCgbyFbFdG74xU/FmYd3y7uQyBOueO9SEU5/UpdnrZ4Ef2w18:ubA3jgCgW+jxy79uz9SEWBCC
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Disables Task Manager via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1