General
-
Target
Flawless_spoofer.exe
-
Size
6.3MB
-
Sample
241230-mjt29sxmfs
-
MD5
38e709ac517d614b056920c080a7d894
-
SHA1
656bb142eb343e050f2dacf600ec2af401313961
-
SHA256
8f28bbf73966b57562935bbed85ce019ea10fd5a51373f302e4f7da063e262f4
-
SHA512
38eda11cfb8bb964408a9329d69d397f9949ad1d709c7cb2a286161ac1e130c0643ce694ea566923fc3452f66016e8ab1be3cc7b0e4881fde3eb10cad0959f1e
-
SSDEEP
98304:Dj6iFuhCq2QyII+6s03cMB0iPmsTN8o1FJaCjV08QqIOzk6wvAwCAYgYLbeuRrKD:chqI3zMxPvTN8oPJbVjcOzkPALzde
Static task
static1
Behavioral task
behavioral1
Sample
Flawless_spoofer.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
Flawless_spoofer.exe
Resource
win10v2004-20241007-en
Malware Config
Targets
-
-
Target
Flawless_spoofer.exe
-
Size
6.3MB
-
MD5
38e709ac517d614b056920c080a7d894
-
SHA1
656bb142eb343e050f2dacf600ec2af401313961
-
SHA256
8f28bbf73966b57562935bbed85ce019ea10fd5a51373f302e4f7da063e262f4
-
SHA512
38eda11cfb8bb964408a9329d69d397f9949ad1d709c7cb2a286161ac1e130c0643ce694ea566923fc3452f66016e8ab1be3cc7b0e4881fde3eb10cad0959f1e
-
SSDEEP
98304:Dj6iFuhCq2QyII+6s03cMB0iPmsTN8o1FJaCjV08QqIOzk6wvAwCAYgYLbeuRrKD:chqI3zMxPvTN8oPJbVjcOzkPALzde
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Create or Modify System Process
2Windows Service
2Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Indicator Removal
1File Deletion
1Obfuscated Files or Information
1Command Obfuscation
1