Overview
overview
10Static
static
1098cae67f5c...4f.exe
windows7-x64
798cae67f5c...4f.exe
windows10-2004-x64
798cfbc262e...bc.exe
windows7-x64
1098cfbc262e...bc.exe
windows10-2004-x64
1098d8bede74...ed.exe
windows7-x64
1098d8bede74...ed.exe
windows10-2004-x64
109905bf91d0...cd.exe
windows7-x64
39905bf91d0...cd.exe
windows10-2004-x64
399171e268b...08.exe
windows7-x64
1099171e268b...08.exe
windows10-2004-x64
10991fdf0c20...cd.exe
windows7-x64
10991fdf0c20...cd.exe
windows10-2004-x64
109921900649...5f.exe
windows7-x64
109921900649...5f.exe
windows10-2004-x64
109941d8f932...2a.exe
windows7-x64
109941d8f932...2a.exe
windows10-2004-x64
10997e8d89ff...b8.exe
windows7-x64
3997e8d89ff...b8.exe
windows10-2004-x64
10998566d8ea...73.exe
windows7-x64
10998566d8ea...73.exe
windows10-2004-x64
1099bf888072...4b.exe
windows7-x64
1099bf888072...4b.exe
windows10-2004-x64
1099f05fe5d0...13.exe
windows7-x64
799f05fe5d0...13.exe
windows10-2004-x64
109a11a17452...66.exe
windows7-x64
109a11a17452...66.exe
windows10-2004-x64
89a26a56f56...c3.exe
windows7-x64
109a26a56f56...c3.exe
windows10-2004-x64
109a292ed0f5...7a.exe
windows7-x64
109a292ed0f5...7a.exe
windows10-2004-x64
109a3fe6a67d...4c.exe
windows7-x64
109a3fe6a67d...4c.exe
windows10-2004-x64
10General
-
Target
archive_38.zip
-
Size
67.9MB
-
Sample
250322-gzgtzsy1bv
-
MD5
a5a89c3b39f3dc18c2f4be3ff7e43264
-
SHA1
ba64b3c28f6323d8e20124d1b91be7c8a5d78f09
-
SHA256
a1ddae9574bbeadd40b789fc8c7719b47c0d4bd8ed93abbd1d07f7e866ac40a6
-
SHA512
5634a8ed60ae394d399631f8a32091be266b2864d5191e3cc31ec233cd8bc72ef21a6eff39290ecada377fee46f2b1b4b813342d7dbcae6e0f7315ed6cd855b1
-
SSDEEP
1572864:kuS3wm7LVvArT7fbmcphAVnIioVFORvT2WauuOkAWrOLANqkUJ:egm0T2cp4+nORL2WauHkAW6Lk+
Behavioral task
behavioral1
Sample
98cae67f5c84a8d9acc00a5117a1554f.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
98cae67f5c84a8d9acc00a5117a1554f.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
98cfbc262ebb26100ed9ac81797240fd925afadc49cc2de443c5166155dea4bc.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
98cfbc262ebb26100ed9ac81797240fd925afadc49cc2de443c5166155dea4bc.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral5
Sample
98d8bede7463eab3906d2bef4f619e0d387b872d36bc41df635c0458a9c87bed.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
98d8bede7463eab3906d2bef4f619e0d387b872d36bc41df635c0458a9c87bed.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral7
Sample
9905bf91d0e085747b6f595a7eca6dcd.exe
Resource
win7-20250207-en
Behavioral task
behavioral8
Sample
9905bf91d0e085747b6f595a7eca6dcd.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral9
Sample
99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral11
Sample
991fdf0c20a212d8d3839c020318c3cd.exe
Resource
win7-20250207-en
Behavioral task
behavioral12
Sample
991fdf0c20a212d8d3839c020318c3cd.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral13
Sample
992190064968ef7869b0359d37b24d7f00e340c1a71ea87cde133a89ed24615f.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
992190064968ef7869b0359d37b24d7f00e340c1a71ea87cde133a89ed24615f.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral15
Sample
9941d8f932e596ae65f70b976ecc4f6620bf5ffc6928800633ac9443c0e94c2a.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
9941d8f932e596ae65f70b976ecc4f6620bf5ffc6928800633ac9443c0e94c2a.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral17
Sample
997e8d89ffb1f23d0014deeb51646ab8.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
997e8d89ffb1f23d0014deeb51646ab8.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral19
Sample
998566d8ea82f0a3c8f337e42a95f373.exe
Resource
win7-20240729-en
Behavioral task
behavioral20
Sample
998566d8ea82f0a3c8f337e42a95f373.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral21
Sample
99bf8880724cd8aa8da8dcf4b716be4b.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
99bf8880724cd8aa8da8dcf4b716be4b.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral23
Sample
99f05fe5d0501bee088a89917fddcd13.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
99f05fe5d0501bee088a89917fddcd13.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral25
Sample
9a11a174522b81715e79c23c5d940a66.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
9a11a174522b81715e79c23c5d940a66.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral27
Sample
9a26a56f5680ffdfbab3a6ba869833c3.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
9a26a56f5680ffdfbab3a6ba869833c3.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral29
Sample
9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
Resource
win7-20241010-en
Behavioral task
behavioral30
Sample
9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral31
Sample
9a3fe6a67de09aa96ba2e5be3280ea4c.exe
Resource
win7-20241023-en
Behavioral task
behavioral32
Sample
9a3fe6a67de09aa96ba2e5be3280ea4c.exe
Resource
win10v2004-20250314-en
Malware Config
Extracted
asyncrat
0.5.8
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
127.0.0.1:8000
ddsO1QLOdEGK
-
delay
3
-
install
true
-
install_file
Windows745635.exe
-
install_folder
%Temp%
Extracted
njrat
0.7d
HacKed
hakim32.ddns.net:2000
if-contest.gl.at.ply.gg:5461
a5a79fb1775f786eb21894fd18e9b5d3
-
reg_key
a5a79fb1775f786eb21894fd18e9b5d3
-
splitter
|'|'|
Extracted
xworm
hp-aggressive.gl.at.ply.gg:8877
127.0.0.1:6258
would-portland.gl.at.ply.gg:6258
-
Install_directory
%AppData%
-
install_file
USB.exe
Extracted
njrat
im523
tomo no rabo
127.0.0.1:5551
232142747b254d71feaaa3ed6502a584
-
reg_key
232142747b254d71feaaa3ed6502a584
-
splitter
|'|'|
Extracted
umbral
https://discord.com/api/webhooks/1352290842009796729/G8yLk-T0sLJfX9oqfGwDEn679VpKN-s9_di6iL35v7J0EuZOmgrqGv_vPjXY_ihAjPfX
Extracted
Protocol: ftp- Host:
s4.serv00.com - Port:
21 - Username:
f2241_dod - Password:
Ball900@@
Extracted
remcos
Host
213.183.58.19:4000
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
read.dat
-
keylog_flag
false
-
keylog_folder
CastC
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos_sccafsoidz
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
remcos
1.7 Pro
Host
213.183.58.19:4000
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
read.dat
-
keylog_flag
false
-
keylog_folder
CastC
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos_sccafsoidz
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
98cae67f5c84a8d9acc00a5117a1554f.exe
-
Size
2.1MB
-
MD5
98cae67f5c84a8d9acc00a5117a1554f
-
SHA1
21527275a801dcac3efb0491f11e3d2904293fb0
-
SHA256
fffd5222db48561afd0141bc1c15b66f10bec748d7430a6a4a79dc3899485f2f
-
SHA512
6044797b07bff8f9a78fc84f3279db7ff98517e03f26305dd58d62122ce199280c81a64aef68e7def789b4d7bd7fd1b6a8ab1c404f3f47ab97bcda1247b8d99a
-
SSDEEP
49152:X/FBVWix5TC0/5ljAhscAWlMym/HXR1supwJ4CfI:J
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
-
-
Target
98cfbc262ebb26100ed9ac81797240fd925afadc49cc2de443c5166155dea4bc.exe
-
Size
2.0MB
-
MD5
b69787eb276e894867e7c1312657cc61
-
SHA1
e8edb28768eb48b7db9ba147881c8e1b1cf4db68
-
SHA256
98cfbc262ebb26100ed9ac81797240fd925afadc49cc2de443c5166155dea4bc
-
SHA512
df1e774909c03934cf73228447329b974205fe9604cf7b2dbc788cd2b33c803ad56a13aa12d828311de60a31165fef7155fad5340ac8524cf7202e9c3baacf99
-
SSDEEP
49152:7rYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:7dxVJC9UqRzsu+8N
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
-
-
Target
98d8bede7463eab3906d2bef4f619e0d387b872d36bc41df635c0458a9c87bed.exe
-
Size
1.7MB
-
MD5
2969ba68d7cb777ee4d1d94e3ca26b2e
-
SHA1
25b6ec11226afa942f8468d291a3989860acc934
-
SHA256
98d8bede7463eab3906d2bef4f619e0d387b872d36bc41df635c0458a9c87bed
-
SHA512
3069d2eb6c2c6e907908de56470e89858757966f785fcaf77f8fa1b37f5b69f97778b5f9764d8bfbbe99031c3a859355457f54e2350173fda80f2cb0e3e45e77
-
SSDEEP
24576:0D39v74lfGQrFUspugRNJI2DJ53J/J/L5dJPjoI1:0p7E+QrFUBgq2d1
-
Remcos family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
9905bf91d0e085747b6f595a7eca6dcd.exe
-
Size
41KB
-
MD5
9905bf91d0e085747b6f595a7eca6dcd
-
SHA1
10955abe37a2ca6a42aa8c0cefbcadf3cafd0aa9
-
SHA256
9149934feacd6b6fbfcbf308005f48f1bd25470df5de900cf1821361c394bf1e
-
SHA512
77c00a468199c2c7ee4bed618dd4446f52c34bae500b264858918d8f03d0b18ea4d4c3bc0973c364f6606a165f80c29e64ddff9aa4fa6e7af15d8499b7589955
-
SSDEEP
768:OSJWpNoNh61tDcG5KNis0w2c6Rio9zr6FfP2E:+zoNA1SG5misGc6IgzrU3
Score3/10 -
-
-
Target
99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
-
Size
1.6MB
-
MD5
c108bff5d7cf5216d440596c5c03fea4
-
SHA1
33eba9f19413d2d26bcd5b21b49bb43563cc0808
-
SHA256
99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08
-
SHA512
e92f8bd34f4aba2d026741fc883531532687579a97ceea6ea65926e2ff9e3a6905d959e21a24f0e8395cae8d676f972c05ea4e107875d3e41e9f6e05d436f4b3
-
SSDEEP
24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
-
-
Target
991fdf0c20a212d8d3839c020318c3cd.exe
-
Size
2.0MB
-
MD5
991fdf0c20a212d8d3839c020318c3cd
-
SHA1
cfeda955ef7520bae29f7d34f463b46bae0776c8
-
SHA256
2ab670a17091d7b3cf662a8be6d48c0a7679d712a8f7e02e46497d2bd9a5a7d2
-
SHA512
e4140f5eddfe63aacb3ea1ee31051570c0068fcf9f74256c7433f66221475308d19072078eb6dec21ba6977b089c7c8c8f178d01eb0716e3a8f6e7f8bd6543a7
-
SSDEEP
49152:jrYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:jdxVJC9UqRzsu+8N
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
-
-
Target
992190064968ef7869b0359d37b24d7f00e340c1a71ea87cde133a89ed24615f.exe
-
Size
2.0MB
-
MD5
177fa69d73d91edcd8e7f6e9b3b13321
-
SHA1
47c085d5d11b49a66826b9169b4cc3eb0b06f18b
-
SHA256
992190064968ef7869b0359d37b24d7f00e340c1a71ea87cde133a89ed24615f
-
SHA512
8cb2188ad452f6781b8d3faa606ca9d9671d1af5faaf4b3b2157a44212b9dca9b49ba74d494d72a61938beb1a400c1802378d43d2671864a79bdd7eb8cc77524
-
SSDEEP
49152:TrYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:TdxVJC9UqRzsu+8N
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
-
-
Target
9941d8f932e596ae65f70b976ecc4f6620bf5ffc6928800633ac9443c0e94c2a.exe
-
Size
198KB
-
MD5
ba3ff80611dbb0fad8d1f1985f14d021
-
SHA1
6ef5df6ce43a740a71a806542c593836d1a89cbf
-
SHA256
9941d8f932e596ae65f70b976ecc4f6620bf5ffc6928800633ac9443c0e94c2a
-
SHA512
4c0c84af80f0544aa6fc1a9f21e20461149162751736bace09e4620b20be780b392f512c5b1f157a325b48e3a8ae9a46334f2eeae4155c50692076870bc7b809
-
SSDEEP
3072:/LLR0bredfUlNX8NFApCFROtLZv7kV6MS9TEjc4bHyN6+bKNhef2aMJ9:/L+uPA4ALZvau8bHwKvI2a
-
Njrat family
-
-
-
Target
997e8d89ffb1f23d0014deeb51646ab8.exe
-
Size
1.3MB
-
MD5
997e8d89ffb1f23d0014deeb51646ab8
-
SHA1
13ad27269884c5ea06ae44a601b4d1372cdc782e
-
SHA256
f31b7b0d8fec7b8d3fb38deabc752db6a2687f6e927714cceadecce290aef89d
-
SHA512
e59b2ada2b04b93a77c0c13c194594027859af5d15c1e357762c6860616632bb805a1f305819f2a2635818c4b8286f2635aa5a591e037e3c834235a4cbec5fb5
-
SSDEEP
24576:hCG/hWSboWdURjgXWZxuHIfz7y/8233t9Fge/7vorhAtjDmJDJyj:uSbbdURRwSz7y/8At9F//7gVwmf
Score10/10-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
998566d8ea82f0a3c8f337e42a95f373.exe
-
Size
45KB
-
MD5
998566d8ea82f0a3c8f337e42a95f373
-
SHA1
e61b997562fadf8c805bf9d66b194db9fac2e958
-
SHA256
c19fa552e9898ac3a969fccbd5225b286393e4d4ef0343df96794e0a633ba1c5
-
SHA512
b7bdf4a03674899c02999a9a0f9f1fae67d97c0646d37fed97ae770d4ee1240a39f0388ff8dc6eac760bde12d6e291f5371c075ce49728fcf84e2edaddec6407
-
SSDEEP
768:wuYqlTLoczGWUgP28mo2qMAKjPGaG6PIyzjbFgX3irduljz5WpcBDZ7B:wuYqlTLbj2AKTkDy3bCXSrqz0p6d7B
-
Asyncrat family
-
Async RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
99bf8880724cd8aa8da8dcf4b716be4b.exe
-
Size
984KB
-
MD5
99bf8880724cd8aa8da8dcf4b716be4b
-
SHA1
e680337915c7a5a85de7f89ec9bf5455cf3bc75f
-
SHA256
da677897f339e128512b323a559ed62e782b2115237bb1a0a8bd1092c2d5723f
-
SHA512
05f82864179d4cbe15cf474001c1696b3a7a9d705864a14d41254a04bc9c56c87804a508d3f139f3db8297b0c50f9bbe2358552a2a0e5218f41bb245abb87c9b
-
SSDEEP
12288:zzZvuvewk/0pPPXA5q/TQ9+n95vV25gnwHexSDwbwvDxlpaS98IUNldnd65EgF1s:zzZvuGD2PvA5YxwmbZB6Uv
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Drops file in System32 directory
-
-
-
Target
99f05fe5d0501bee088a89917fddcd13.exe
-
Size
224KB
-
MD5
99f05fe5d0501bee088a89917fddcd13
-
SHA1
c9844f77a489184d6857cfeda58aa739f95a2b07
-
SHA256
17a942db32ea782d5c4d0219901f0cdfdb3f7926ca078e848257ec0eb7e4cab1
-
SHA512
f39a644966d68f71017d9d72fc4f1564711294cad5933b1a279253411863fc05b583c4f888c7ba0d5b23d1eb0e418c628d29d8f505265c26bc2933b616ca09a6
-
SSDEEP
3072:dsXRmUIMitHqQmZe27vc6Eld+xZp2vPRL1tT06zJoxAWBcKpSP//dwlmfDD:KR5IbqQmZeG47RZBGxAycKpSPX2Y
Score10/10-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
9a11a174522b81715e79c23c5d940a66.exe
-
Size
93KB
-
MD5
9a11a174522b81715e79c23c5d940a66
-
SHA1
7a98bdd8057a0d034e13ca85b5184a660ac187b1
-
SHA256
688c1a3286f2afa26f5c14d5bd3ac3eae66d059d314186409ed9060d815a47dd
-
SHA512
da01cbf1de22500cce53be313280f7d317b4804f1065ac6f236baba2e60c8f9ba2697e204b5b2b7b9dccb2a7d6694fbdc1988bd8bf0c75e6c96041446aaedf0e
-
SSDEEP
1536:cOmC+xhUa9urgOB9RNvM4jEwzGi1dDIDGgS:cOgUa9urgONdGi1d+r
-
Njrat family
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
9a26a56f5680ffdfbab3a6ba869833c3.exe
-
Size
78KB
-
MD5
9a26a56f5680ffdfbab3a6ba869833c3
-
SHA1
3e59b45ce04bad8094a3f70cd95d328d15fcf22b
-
SHA256
d160bc9c239b66071558c7e6429cd46dc85e37a3c153968d3d619fc69fc660d9
-
SHA512
7e82d0147de276751a0e0e3f39571202138330d1a7f902e66d819dfded9b17cb5a55e37c3a5d4e0732df8c65c5b4c630cf16d4c07fc927bba4df18946bb33613
-
SSDEEP
1536:fMr8x3ge6TdznSbgPkKm58VZlIuig/B+P7bFh1XDI6m0hOlfMhTo:0r8+e+SUPkl8iuiQ07bFh13hOlfMhTo
-
Detect Xworm Payload
-
Xworm family
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
-
Size
1.6MB
-
MD5
1537a2448a3278776c0ad106d583bf42
-
SHA1
3374a83147189b932096d99e2f34c5c185611242
-
SHA256
9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a
-
SHA512
51dab8150cfc0f8c830a3d583e53e6a89a9f05c95daf84dee27cabcd43e03ee2953391d25b366a4a902e6cae6e8b1d05a4eae832d4d51f9e47869ca984e9d10a
-
SSDEEP
24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Drops file in System32 directory
-
-
-
Target
9a3fe6a67de09aa96ba2e5be3280ea4c.exe
-
Size
1.1MB
-
MD5
9a3fe6a67de09aa96ba2e5be3280ea4c
-
SHA1
6e4ffce312e07e64e58d3711d22873956299792c
-
SHA256
ad954fbd7d3e5259656f1f933b0d0e0528fca132b9212fceafb203211267efbf
-
SHA512
fb3a712d3ac88c3510c8759a0ae3465fa376eda8875f80eef28231c3a0955fc49032200637a695cf7c3f0b7a3e05fa84fbaff3992d58148c5d016c0ecb8e983b
-
SSDEEP
12288:t6NE5eSwJu37+GXJpkaI7ShG54v4ahgVY3whNG8/LI6i4ejmtnbAouuFteLBdBN9:t6NReJXJIwvJgVQSoPEzKkLXa
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1