General
-
Target
LisectAVT_2403002A_368.exe
-
Size
3.3MB
-
Sample
240725-aqngvawfjp
-
MD5
db8da2d409c3dc46afe0dd3454388f9c
-
SHA1
baa1e8196412a06919e37d888651916aae021b69
-
SHA256
4ce4afc5fd856ed5951e35c3efd45fdc03662abf43050fddc564023ef40e6823
-
SHA512
016d678636fafc456e146802da7b5d1b8be3f0b474e335158d65c1df4ae8bb241af43fdd278e99f6d50c6610f0fc775c48621b5d45c5841b904a7e1a971edfc0
-
SSDEEP
98304:oZ1HRsp8NbXaaIptoNMrF4NOgmwCof84h:oZVIaIpeOrmNOTwCol
Static task
static1
Behavioral task
behavioral1
Sample
LisectAVT_2403002A_368.exe
Resource
win7-20240704-en
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1219193245557325834/Pny7ckgnLuo9kv28SEntCevPyhBWlY4AfJu4MogOozH9-s-mNnQ7UZJcF1RdHsmmAwgC
Targets
-
-
Target
LisectAVT_2403002A_368.exe
-
Size
3.3MB
-
MD5
db8da2d409c3dc46afe0dd3454388f9c
-
SHA1
baa1e8196412a06919e37d888651916aae021b69
-
SHA256
4ce4afc5fd856ed5951e35c3efd45fdc03662abf43050fddc564023ef40e6823
-
SHA512
016d678636fafc456e146802da7b5d1b8be3f0b474e335158d65c1df4ae8bb241af43fdd278e99f6d50c6610f0fc775c48621b5d45c5841b904a7e1a971edfc0
-
SSDEEP
98304:oZ1HRsp8NbXaaIptoNMrF4NOgmwCof84h:oZVIaIpeOrmNOTwCol
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Umbral payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1