General
-
Target
af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe
-
Size
1.7MB
-
Sample
241118-xcswqssenc
-
MD5
6d41ecedcce80f8c3fa81d06041101e8
-
SHA1
a0c354fc73043792e994309472a61ddb35144a0d
-
SHA256
af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd
-
SHA512
874a83462cbc5ac0f71b0b18ab07a284106cdbfb19f170c83bc954cf1b017634e57374971df1f1a4ac33b24d91ebb234fcff80de5bd94a74a144f84c205557d5
-
SSDEEP
24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJz:NgwuuEpdDLNwVMeXDL0fdSzAGM
Behavioral task
behavioral1
Sample
af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe
Resource
win10v2004-20241007-en
Malware Config
Targets
-
-
Target
af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd.exe
-
Size
1.7MB
-
MD5
6d41ecedcce80f8c3fa81d06041101e8
-
SHA1
a0c354fc73043792e994309472a61ddb35144a0d
-
SHA256
af806de6c621a99efd037e09772f4821a2b385f72f854abd105e3597799806dd
-
SHA512
874a83462cbc5ac0f71b0b18ab07a284106cdbfb19f170c83bc954cf1b017634e57374971df1f1a4ac33b24d91ebb234fcff80de5bd94a74a144f84c205557d5
-
SSDEEP
24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJz:NgwuuEpdDLNwVMeXDL0fdSzAGM
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-