Overview
overview
10Static
static
10d1773dbf85...14.exe
windows7-x64
10d1773dbf85...14.exe
windows10-2004-x64
10d17833b5ad...14.exe
windows7-x64
10d17833b5ad...14.exe
windows10-2004-x64
10d19713a05b...60.exe
windows7-x64
10d19713a05b...60.exe
windows10-2004-x64
10d1a0b78620...86.exe
windows7-x64
10d1a0b78620...86.exe
windows10-2004-x64
10d1a62cde3f...76.exe
windows7-x64
9d1a62cde3f...76.exe
windows10-2004-x64
9d1ae74abc0...a4.exe
windows7-x64
3d1ae74abc0...a4.exe
windows10-2004-x64
3d1b8645939...8c.exe
windows7-x64
10d1b8645939...8c.exe
windows10-2004-x64
10d1d65f62ac...0f.exe
windows7-x64
3d1d65f62ac...0f.exe
windows10-2004-x64
10d1ec8c3742...5d.exe
windows7-x64
10d1ec8c3742...5d.exe
windows10-2004-x64
10d21427a7a6...37.exe
windows7-x64
7d21427a7a6...37.exe
windows10-2004-x64
7d2181d9845...ce.exe
windows7-x64
1d2181d9845...ce.exe
windows10-2004-x64
1d22a2ed71b...4e.exe
windows7-x64
7d22a2ed71b...4e.exe
windows10-2004-x64
10d23977a7d2...dd.exe
windows7-x64
3d23977a7d2...dd.exe
windows10-2004-x64
10d27cca2711...26.exe
windows7-x64
10d27cca2711...26.exe
windows10-2004-x64
10d28eec4485...4b.exe
windows7-x64
7d28eec4485...4b.exe
windows10-2004-x64
7d2b881f205...1d.exe
windows7-x64
10d2b881f205...1d.exe
windows10-2004-x64
10General
-
Target
archive_52.zip
-
Size
71.3MB
-
Sample
250322-g1ytwstks3
-
MD5
39ff75e3321a7b25efbfe703c7de94ec
-
SHA1
2963c4ae129ff1ebd7e3c65ee49a78739ffefa29
-
SHA256
5de218dd00c5b6536a8ea373bbe9b9f2079f788a113b847fbd5c39932170a6e6
-
SHA512
c319b1e4a03fa0288054c5bbfae1aec41752bcbb3459226c74f8b65f41eda917fb3f85afdd04c6de2e45191f24d38bb8142b3aca142a403b4aee01d3b00937d0
-
SSDEEP
1572864:e00oDoLShEghAVnI4A46clWQdheid+6HL3eQpGaJOeZQk:woD8Sh94Z5l1TdLuQMaJOeZQk
Static task
static1
Behavioral task
behavioral1
Sample
d1773dbf85d917eb86780278256b5314.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d1773dbf85d917eb86780278256b5314.exe
Resource
win10v2004-20250313-en
Behavioral task
behavioral3
Sample
d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral5
Sample
d19713a05b239bb9c15e350f22976c60.exe
Resource
win7-20241023-en
Behavioral task
behavioral6
Sample
d19713a05b239bb9c15e350f22976c60.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral7
Sample
d1a0b78620011cdf2da572aca494dc7841cb4ca79d073b671d522434894ab086.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
d1a0b78620011cdf2da572aca494dc7841cb4ca79d073b671d522434894ab086.exe
Resource
win10v2004-20250313-en
Behavioral task
behavioral9
Sample
d1a62cde3f49e619203ecf47cdef2cb02a768451ece298279ccf098016885b76.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
d1a62cde3f49e619203ecf47cdef2cb02a768451ece298279ccf098016885b76.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral11
Sample
d1ae74abc0c8514f363c90e1a9b02aa4.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
d1ae74abc0c8514f363c90e1a9b02aa4.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral13
Sample
d1b8645939d08182047951aa23291fa83dff7f397528319b6be11cb24885598c.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
d1b8645939d08182047951aa23291fa83dff7f397528319b6be11cb24885598c.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral15
Sample
d1d65f62acce133f4e44c137020c260f.exe
Resource
win7-20241023-en
Behavioral task
behavioral16
Sample
d1d65f62acce133f4e44c137020c260f.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral17
Sample
d1ec8c3742e4e01173d709df1353dc5d.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
d1ec8c3742e4e01173d709df1353dc5d.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral19
Sample
d21427a7a658882f85cfc0f0494d2337.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
d21427a7a658882f85cfc0f0494d2337.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral21
Sample
d2181d98457190fa4bf7c49a700a5dfacba23a30d6377e5616aa9268c828dbce.exe
Resource
win7-20240729-en
Behavioral task
behavioral22
Sample
d2181d98457190fa4bf7c49a700a5dfacba23a30d6377e5616aa9268c828dbce.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral23
Sample
d22a2ed71bc83120e890a0b31d49984e.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
d22a2ed71bc83120e890a0b31d49984e.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral25
Sample
d23977a7d2d13a4481eabc68752bf8dd.exe
Resource
win7-20241010-en
Behavioral task
behavioral26
Sample
d23977a7d2d13a4481eabc68752bf8dd.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral27
Sample
d27cca271192c44b146218aa9a2e4926.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
d27cca271192c44b146218aa9a2e4926.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral29
Sample
d28eec44852da7258b49d5816a13e6fbb31a34b744a327656950df56f3fef14b.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
d28eec44852da7258b49d5816a13e6fbb31a34b744a327656950df56f3fef14b.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral31
Sample
d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Resource
win7-20240729-en
Behavioral task
behavioral32
Sample
d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Resource
win10v2004-20250314-en
Malware Config
Extracted
xworm
working-drain.gl.at.ply.gg:26732
127.0.0.1:7000
127.0.0.1:7777
-
Install_directory
%Temp%
-
install_file
svchost.exe
Extracted
njrat
0.7d
H2cKed bY TaKsHeR
z88.ddns.net:5552
63836c251750e788af0d3ead7ef4cada
-
reg_key
63836c251750e788af0d3ead7ef4cada
-
splitter
|'|'|
Extracted
revengerat
Guest
192.168.1.37:1111
RV_MUTEX-aClgZblRvZwfR
Extracted
asyncrat
0.5.7B
Default
192.168.134.128:6606
231421421412
-
delay
3
-
install
false
-
install_file
RegAsm
-
install_folder
%AppData%
Extracted
agenttesla
https://api.telegram.org/bot8031163681:AAFH2N6BlT_hbhu2xWrmOscGz8sn0r9CGYs/
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Extracted
remcos
1.7 Pro
Host
213.183.58.19:4000
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
read.dat
-
keylog_flag
false
-
keylog_folder
CastC
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos_sccafsoidz
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
d1773dbf85d917eb86780278256b5314.exe
-
Size
224KB
-
MD5
d1773dbf85d917eb86780278256b5314
-
SHA1
921c853202eada39d4f6e5f4a26fbfc3ea3a204f
-
SHA256
b0f7b41da01a331e50612953ec181657074d9eb942361fcf3e97a10b544f43e1
-
SHA512
6ccee9720bd9a774f35943e56c930428d97c758afa4089912cb6d022311a7fc11c3b784b2c6d5e1bb630530f594041d48f67ae2834ea7eea024691b8b3345cf0
-
SSDEEP
1536:LEG93312zK86AO5BZqoLUbhFLC4Y6T16OUmRk3Pk9vjUxyjq:IG93P8mWCUbhNQOjRkfk+f
-
Detect Xworm Payload
-
Xworm family
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
-
Size
1.6MB
-
MD5
66d07aba299e88d9fd0562bdde9ef487
-
SHA1
3187acda67ed22501f39f2b436d064faf9464045
-
SHA256
d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914
-
SHA512
64ec5f70e2e57279280b2bd2aa6503138b362e2777be368037102acba1875361e8299460e6075e04aa9f754c9597d63c89d27b80f7b054c766675ef0e8aff875
-
SSDEEP
24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
-
-
Target
d19713a05b239bb9c15e350f22976c60.exe
-
Size
65KB
-
MD5
d19713a05b239bb9c15e350f22976c60
-
SHA1
b3653eabb3070cf31ffa1bfb4c728f0f8612248e
-
SHA256
04607114ecf76a4fe8522ee8a9306c8110dd936c44adb5a3ff32cfcdc275a7d7
-
SHA512
3ab552f2f642a15630e6b7acaf12040304c4c50a50b8eb004b79ca72cc90dc8b0d39ec33a290c1f5e0615ec8ba85dda3b073e31cca2691f642105d957715795a
-
SSDEEP
1536:7ogg0w/xs0rkZ6NcWB5ZP6bEurlDvYS+56RGl4Ow5jw:7ohpsIkZeMbEyYKGeOwRw
-
Detect Xworm Payload
-
Xworm family
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
d1a0b78620011cdf2da572aca494dc7841cb4ca79d073b671d522434894ab086.exe
-
Size
880KB
-
MD5
54fab8b19cff15f0431e5fb1415f5e35
-
SHA1
22df553be076382ad84097e51a11ceea6110691f
-
SHA256
d1a0b78620011cdf2da572aca494dc7841cb4ca79d073b671d522434894ab086
-
SHA512
f2109f32d7e82b9d29c4e2f66281c758d8c397d71df0de4f775aeac69cd38962676a6c38f5ac606d579c651a160570a25259aa08f56d4f866c3234c4def42d62
-
SSDEEP
12288:Sp+rgRNyA55IxJ+feDOa9rZj5XqkJD0QrOod7XxlW91RRzwAY3Ar:SpugRNJI1D39dlfGQrFUxwAeAr
-
Remcos family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
d1a62cde3f49e619203ecf47cdef2cb02a768451ece298279ccf098016885b76.exe
-
Size
8.5MB
-
MD5
772686c5dae13bb239cff557ad2ba438
-
SHA1
41fddf88a72223ddd0dbd7cb0cf3f4efb7b73d85
-
SHA256
d1a62cde3f49e619203ecf47cdef2cb02a768451ece298279ccf098016885b76
-
SHA512
60de0c4cf3757c8f26241e8484c8f1255ad925a93f91c006b25ece59d3b83e8be20ab2ef6115cc351bc8e22302c7ba8540c17e1a7d1d073ac3c94d6d297307a9
-
SSDEEP
196608:jxSZrxSZExSZfU+2at3DS7sJav43YmOZdqUW8wvuube:jxSZrxSZExSZfU+2aJDSgJnmqxHvbbe
Score9/10-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
-
-
Target
d1ae74abc0c8514f363c90e1a9b02aa4.exe
-
Size
4KB
-
MD5
d1ae74abc0c8514f363c90e1a9b02aa4
-
SHA1
99e4302fdba2b02ff5eb064bf03809e868aadd2c
-
SHA256
4d2d36942a7d28d621a8d859162237ce7d64b77cfebfd1b38027518efbc02374
-
SHA512
3b682b2ceb8dc7bfad1b5ba183a048e3c8f6df3e5b9451242dab1c0448f0188f2ce25e256ff37592aff1ef3485d7414eb6b57c05f50f5b544749de944cb926ab
-
SSDEEP
48:6Wm1tAqxZ8RxeOAkFJOcV4MKe28dMddQ6QeeLvqBH/uulB+hnqXSfbNtm:QijxvxVx9ZZnLvkRTkZzNt
Score3/10 -
-
-
Target
d1b8645939d08182047951aa23291fa83dff7f397528319b6be11cb24885598c.exe
-
Size
2.0MB
-
MD5
82416956a36751ccdbe03343574985e0
-
SHA1
913a587fe1d30351697bf9d8a29e3e8cd278d1b0
-
SHA256
d1b8645939d08182047951aa23291fa83dff7f397528319b6be11cb24885598c
-
SHA512
acb815f9c30a0cb19befd324f56365e9782824bac2bee86def54dcd4fbb6d6b9b22b8e07d7141af0964ee4c66ac4bb164d7f7141fdaab03e40af390a6dbc6b5e
-
SSDEEP
49152:zrYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:zdxVJC9UqRzsu+8N
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
-
-
Target
d1d65f62acce133f4e44c137020c260f.exe
-
Size
81KB
-
MD5
d1d65f62acce133f4e44c137020c260f
-
SHA1
9126e9b831a05735529357e4af31ce0d628ebdb6
-
SHA256
73ea9482307e2db84538256bcee3a207fbc8bf512715316c82f3b4cebe46d8b1
-
SHA512
e3b370a46ca604ec0f3a9bf8e9a702560eea9068de1be244c7c33ca0a1f68b7f6ddade33656327a4b5f604b63e644b3be42dd719a04a5077230bfa4f964c23dc
-
SSDEEP
1536:1Pf20zEmeuVcp0l1kc2XCSIQiCXu6yMWKV:Nfd9JVq0fkDzJiCXu6yMX
Score10/10-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Drops startup file
-
Suspicious use of SetThreadContext
-
-
-
Target
d1ec8c3742e4e01173d709df1353dc5d.exe
-
Size
885KB
-
MD5
d1ec8c3742e4e01173d709df1353dc5d
-
SHA1
30c91b20f0ced765718860cbb2a9f39ca19cf20b
-
SHA256
e50d685dc91548b2786aaff53e3b0e3a0779a6e41304a59607c042a2ad12482d
-
SHA512
1ba0dc8ff62291ca5d6213a1b7b6e473ee34b3b5dd5e56d6e6880c9a954f4682144785bd43f5e0e357913e465f53b9e78424dc8bb4146b479303597ecd2e3b65
-
SSDEEP
12288:+lNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:+lNCv6XJ5BClaXfD9vUha+u
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
-
-
Target
d21427a7a658882f85cfc0f0494d2337.exe
-
Size
1.4MB
-
MD5
d21427a7a658882f85cfc0f0494d2337
-
SHA1
a3c7e31aa7beffc0b8c0fddbf140994ca07ed95f
-
SHA256
2ef232eae08620c8b18e4a139d126d3da312053701aaebd3032fb638fb553eae
-
SHA512
e606969e162951b2a93dcd2a7271cc423b65adcc8e9b66ee95d3e13bac0611714f93bcb7a74a309a8eabeb541c40bc106c5b458b8e14ac24c7dd5a7ccc6cfc88
-
SSDEEP
24576:V8dvIOVmW6AbPsArkueRKmV3sNlHfiqJIM:VowONbkBuyKmBs7iM
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
d2181d98457190fa4bf7c49a700a5dfacba23a30d6377e5616aa9268c828dbce.exe
-
Size
407KB
-
MD5
0878aed9eae542df5c997f6c954daf59
-
SHA1
19874d9b7ab3f44be913e05eaaff6ff629211987
-
SHA256
d2181d98457190fa4bf7c49a700a5dfacba23a30d6377e5616aa9268c828dbce
-
SHA512
cd9dda4b56e40c44296afd6f5533758946f2f8000147014b506cff185dafd5dc2ea853cff4825d8065ecbf052bbb83e366261961560100be1c6dc59d9e4495b6
-
SSDEEP
6144:Ruvp7bVS6c8ZDYe6VlWT8b9zu53I4gEum4303NrrmRthb3qhoma:Ruh7bVS68PVle8UhgI3NnOlqhoma
Score1/10 -
-
-
Target
d22a2ed71bc83120e890a0b31d49984e.exe
-
Size
97KB
-
MD5
d22a2ed71bc83120e890a0b31d49984e
-
SHA1
8f7d3b2560189b9b58b00b6778954cfa29872c48
-
SHA256
ec73409a3ebab64f91ceeceda0abd110bd3c42e23ca4bbcb273c9fd71960006a
-
SHA512
9fb25c1a5fbe5b9a43566912ebe31d52c1fe51a9d1405745dbe5ee12f3ad7aa4c2aa5b7b895c49f0711d7faa6044fb7888c36181fb9c1c0c0cb1d334bdfd086d
-
SSDEEP
1536:aS8CnlE6aPvVVJQ/dejZ/uvOa3g7rFuqEWKFu027cQS:hZlmP3JjZ/uvLOrFuqZKFu027cQS
Score10/10-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Drops startup file
-
Suspicious use of SetThreadContext
-
-
-
Target
d23977a7d2d13a4481eabc68752bf8dd.exe
-
Size
684KB
-
MD5
d23977a7d2d13a4481eabc68752bf8dd
-
SHA1
a1ce43fad2ea3f4ef2a325d2cb7332228064024c
-
SHA256
20aed1d218b695d49699aa9afb2f2e036b24ecf0654ac8e1253a99037ec44c1e
-
SHA512
2818b7a32c672b38f25d0bdcedb552854dd622192ad41129303dee7291d130cdcff84fade60c5a3081d36fa0a5bbaa1611064c822265eb71d675e9459bfcb39b
-
SSDEEP
12288:/rjGofSN4zQZnMZiX9WnWvX9xxB1RcpOleKnS9PapcrQk:mof24cDvX9xPEi5k
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Suspicious use of SetThreadContext
-
-
-
Target
d27cca271192c44b146218aa9a2e4926.exe
-
Size
13.8MB
-
MD5
d27cca271192c44b146218aa9a2e4926
-
SHA1
ba6be730d1f0403b6041e0609b509afa2773146e
-
SHA256
b666b92191e0a318a27efefcce8e1348a982587d2afdf4999019ba387353c8d0
-
SHA512
efb7958822aad317457f7c6b85e5e73af315b854d67fda756ff033b23255ce543bf7ee488fa476114627bc84ab0d1d045d2fd45aa3e40bf5d6b91102afbd9363
-
SSDEEP
393216:rGg4aKGg4aPGg4ayGg4a4Gg4aGGg4akGg4atGg4acGg4a0Gg4a0:LoPgWUSFai0
-
Xred family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
d28eec44852da7258b49d5816a13e6fbb31a34b744a327656950df56f3fef14b.exe
-
Size
35.0MB
-
MD5
341e0773e9deafbbce576955bf16c821
-
SHA1
4b4acee76ba76b90ff457ba372628d687b7000a2
-
SHA256
d28eec44852da7258b49d5816a13e6fbb31a34b744a327656950df56f3fef14b
-
SHA512
48172c95eb1f57060cb52e23ffefeda32bff6002edab14912c84bcc753ac81125f903a82a6b337da980c96b486fbb4054fb9e8fbe298dde64aa77a1162d163e1
-
SSDEEP
786432:4XuCHGJTk6G76kMNr0R7QMMnmAwgmC7XJTmfsxH6YxlUyS:5ZPkMYsMMnmABVm0J6YW
Score7/10-
Deletes itself
-
Drops startup file
-
-
-
Target
d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
-
Size
999KB
-
MD5
7c3748401169a78459eb9603ff69e2b2
-
SHA1
1a5d82422f062f1ce5d6eb3cb41c56d066f7981f
-
SHA256
d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d
-
SHA512
ec52f803bd6ff1fbcec6da1624a5fb93ebba87742fd3191b27fdf8e77bc7cbc8217542eacffb1f1f2c323a3956ef3037ef47595c9a00e43951172171275abc12
-
SSDEEP
12288:/9pLLk45WSSY1BX6f4bIS7rMNetPfC9Vs6IFGs0jxAqXj9xPSI0dzNgCoD7WX+Iu:/9pP5WS3lrMNyC9TJPCXBi
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1