Overview
overview
10Static
static
10MsSavesSes...YY.bat
windows10-2004-x64
8MsSavesSes...YY.bat
windows10-ltsc 2021-x64
8MsSavesSes...YY.bat
windows11-21h2-x64
8MsSavesSes...YY.bat
windows7-x64
8MsSavesSes...O1.vbe
windows10-2004-x64
3MsSavesSes...O1.vbe
windows10-ltsc 2021-x64
3MsSavesSes...O1.vbe
windows11-21h2-x64
3MsSavesSes...O1.vbe
windows7-x64
3MsSavesSes...rf.exe
windows10-2004-x64
10MsSavesSes...rf.exe
windows10-ltsc 2021-x64
10MsSavesSes...rf.exe
windows11-21h2-x64
10MsSavesSes...rf.exe
windows7-x64
10MsSavesSes...le.vbs
windows10-2004-x64
1MsSavesSes...le.vbs
windows10-ltsc 2021-x64
1MsSavesSes...le.vbs
windows11-21h2-x64
1MsSavesSes...le.vbs
windows7-x64
1General
-
Target
comedic1.zip
-
Size
1.9MB
-
Sample
241201-xh1hrstjhj
-
MD5
ca992f98e8cf0653e5ac5b39d7b5be38
-
SHA1
99b01d44d0528f61bd20b4a419aece6fa03cbb53
-
SHA256
a2f2e7faee09ff22d394d74ca44ec2a153199d3af3936d1841f3d57c8eae721c
-
SHA512
aa083ced01c13a76b54dc9b45e1e91056dbb3dc6ac7f1764f0cddca3fb6e60465f8999daae8d7e219d5313c5c2a01dfe1f3579a8c4e63a8cf8b56446e4e6a835
-
SSDEEP
49152:agcpU2Cn4cFusy9lh5v0IcmB7pX+n2PCgPi0TzuQHqgxFJKRKHKpU4:wU2Cfuj3v0sBuQRjJKRKHKU4
Behavioral task
behavioral1
Sample
MsSavesSessionDll/9KjI6fqbs0yhjc5d8qYY.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
MsSavesSessionDll/9KjI6fqbs0yhjc5d8qYY.bat
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral3
Sample
MsSavesSessionDll/9KjI6fqbs0yhjc5d8qYY.bat
Resource
win11-20241007-en
Behavioral task
behavioral4
Sample
MsSavesSessionDll/9KjI6fqbs0yhjc5d8qYY.bat
Resource
win7-20240903-en
Behavioral task
behavioral5
Sample
MsSavesSessionDll/KGvUTlEKtYKB1JaFEhyBUO1.vbe
Resource
win10v2004-20241007-en
Behavioral task
behavioral6
Sample
MsSavesSessionDll/KGvUTlEKtYKB1JaFEhyBUO1.vbe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral7
Sample
MsSavesSessionDll/KGvUTlEKtYKB1JaFEhyBUO1.vbe
Resource
win11-20241007-en
Behavioral task
behavioral8
Sample
MsSavesSessionDll/KGvUTlEKtYKB1JaFEhyBUO1.vbe
Resource
win7-20240729-en
Behavioral task
behavioral9
Sample
MsSavesSessionDll/agentreviewPerf.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral10
Sample
MsSavesSessionDll/agentreviewPerf.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral11
Sample
MsSavesSessionDll/agentreviewPerf.exe
Resource
win11-20241007-en
Behavioral task
behavioral12
Sample
MsSavesSessionDll/agentreviewPerf.exe
Resource
win7-20241010-en
Behavioral task
behavioral13
Sample
MsSavesSessionDll/file.vbs
Resource
win10v2004-20241007-en
Behavioral task
behavioral14
Sample
MsSavesSessionDll/file.vbs
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral15
Sample
MsSavesSessionDll/file.vbs
Resource
win11-20241007-en
Behavioral task
behavioral16
Sample
MsSavesSessionDll/file.vbs
Resource
win7-20240903-en
Malware Config
Targets
-
-
Target
MsSavesSessionDll/9KjI6fqbs0yhjc5d8qYY.bat
-
Size
154B
-
MD5
24c4210b146054c31eb1f4e01f0f4005
-
SHA1
340eb576f0bc822344328fa3edf6638a60124381
-
SHA256
bf807e7bc8dbbebecd7a334f77b9a0b0eec352846fd673bdeab482642002ae2f
-
SHA512
46554f3f2441374a05ceee70c477aed58717f4e7e05ab57daa494f38a8f2b67b2f462a4a170bf4d3c54340d689934ca38462ee77299bca84cfdd0a7fe07dfa92
Score8/10-
Disables Task Manager via registry modification
-
-
-
Target
MsSavesSessionDll/KGvUTlEKtYKB1JaFEhyBUO1.vbe
-
Size
214B
-
MD5
70a585216ae3ecc7d0bb56903c227315
-
SHA1
6b661f901134aec8eba29d6b45cff5f8d9d56a58
-
SHA256
79fb626b5bf797bc6e1c72af3be07bbb1a606587890f1806b20ac984d57201c0
-
SHA512
02296eaa4d02a535b98961c1aeb410ff505b0e56e23eb7459f945707b94132cadaf12260e97cabff4e3981bc04bfd0318c4a1701eff92446edd5889609c806d9
Score3/10 -
-
-
Target
MsSavesSessionDll/agentreviewPerf.exe
-
Size
2.3MB
-
MD5
4e69fcf73418a08fcb8b3e7e2ecb43c4
-
SHA1
a3ecd09f65ca4e7821a0b7f8596edcd679573f5b
-
SHA256
fa78ac8f4c94923c7e53a3bf6936b46aff02f7746ee9518460c2d529ea2982d4
-
SHA512
a6d1a2b6363ad8a560567e6c11a48f8d1bc4cdfc36474902edf39f676440be82619aae52279121a776486d0edfe7a448f0fe9707b27ae760c1d6dd0201f6adc3
-
SSDEEP
49152:BwpUwcTZ0rUinysyVZl5LCCcG3RTXM34FIIPWYJxuQfUgtFneJ8BG5U:Bw1ctUyjTLC8puaX/neJ8BgU
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
MsSavesSessionDll/file.vbs
-
Size
34B
-
MD5
677cc4360477c72cb0ce00406a949c61
-
SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
-
SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
-
SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a
Score1/10 -
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1