General
-
Target
svhost.exe
-
Size
3.1MB
-
Sample
240723-rh3egaxblc
-
MD5
0576f3975ecddbe6f36c7193c550220a
-
SHA1
b4d5fc9c7909de32af181bd9cafb0820b076b790
-
SHA256
780ca35ebb46afcdf59c486a37810a3642351bacbbea241d770330a6d3a92249
-
SHA512
40b2fe904756c9bda180c9812caa4d8e1b7e980a865aac636af0cd923e5d9aacad82a7e033fef6893877abf80dcc5bed32bfd1a79913d26c7e8357dd70800836
-
SSDEEP
49152:ubA3jHf0AsSwuoLyIPINgqdqZtUac//CxLasJ1ENYN7RG/2rP7Cr4AwurD:ubSsS5wQCvLURCVJ12M2YI4Dun
Behavioral task
behavioral1
Sample
svhost.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
svhost.exe
Resource
win10v2004-20240709-en
Malware Config
Targets
-
-
Target
svhost.exe
-
Size
3.1MB
-
MD5
0576f3975ecddbe6f36c7193c550220a
-
SHA1
b4d5fc9c7909de32af181bd9cafb0820b076b790
-
SHA256
780ca35ebb46afcdf59c486a37810a3642351bacbbea241d770330a6d3a92249
-
SHA512
40b2fe904756c9bda180c9812caa4d8e1b7e980a865aac636af0cd923e5d9aacad82a7e033fef6893877abf80dcc5bed32bfd1a79913d26c7e8357dd70800836
-
SSDEEP
49152:ubA3jHf0AsSwuoLyIPINgqdqZtUac//CxLasJ1ENYN7RG/2rP7Cr4AwurD:ubSsS5wQCvLURCVJ12M2YI4Dun
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Disables Task Manager via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1