Analysis
-
max time kernel
103s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
04/04/2025, 05:56
General
-
Target
2025-04-04_f7b4c0fad8ea1c80f5384bb45ad18b64_black-basta_cova_luca-stealer.exe
-
Size
2.1MB
-
MD5
f7b4c0fad8ea1c80f5384bb45ad18b64
-
SHA1
c68097749d0fced63ab1c22e4328e02b54df37ee
-
SHA256
c809df9e2d9115ddeb5e4f6c82ca7ee85753b78cd2396dbda6f951ef1b2e81af
-
SHA512
03ca9474fb9d03e920a0c755c3c2d8461d0446f10da7d72f15058b54ef063541004c821a0d46730c768e8d1e9823ec8710764e06bd5c441271e2da26ae9b46b9
-
SSDEEP
24576:2TbBv5rUyXVBlZLSBKYazsX35mwgHMB6uscrW/P0scp7WqNFcUpFwiCxRNuwujkJ:IBJBq5DS1cs+cUpFejgioKgOLaLVZm
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 14 IoCs
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of WriteProcessMemory 48 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-04-04_f7b4c0fad8ea1c80f5384bb45ad18b64_black-basta_cova_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-04-04_f7b4c0fad8ea1c80f5384bb45ad18b64_black-basta_cova_luca-stealer.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\PortFontBrokerPerf\Y4EiKOdPrb8Z.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\PortFontBrokerPerf\Rtn7cpFGR9lldPKi6lSKrpTABHrWJw3F.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\PortFontBrokerPerf\BlockSavesMonitorDll.exe"C:\PortFontBrokerPerf/BlockSavesMonitorDll.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wh132nkq\wh132nkq.cmdline"5⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD234.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCCB927F24FA094A94A58EA177A34AF4CD.TMP"6⤵
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2izynudl\2izynudl.cmdline"5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD2A2.tmp" "c:\Windows\System32\CSCACCEF99DAEC6453381405FAE9F326E1.TMP"6⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VYORqcMpOp.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\Recovery\WindowsRE\explorer.exe"C:\Recovery\WindowsRE\explorer.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Pictures\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Pictures\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Public\Documents\My Pictures\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Documents\My Pictures\cmd.exe"C:\Users\Public\Documents\My Pictures\cmd.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Public\Documents\My Pictures\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Documents\My Pictures\cmd.exe"C:\Users\Public\Documents\My Pictures\cmd.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\Media\Cityscape\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Media\Cityscape\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\Media\Cityscape\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\Media\Cityscape\winlogon.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Media\Cityscape\winlogon.exeC:\Windows\Media\Cityscape\winlogon.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\Media\Cityscape\winlogon.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Media\Cityscape\winlogon.exeC:\Windows\Media\Cityscape\winlogon.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\All Users\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\All Users\sysmon.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\All Users\sysmon.exe"C:\Users\All Users\sysmon.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\All Users\sysmon.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\All Users\sysmon.exe"C:\Users\All Users\sysmon.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Recovery\WindowsRE\explorer.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\explorer.exeC:\Recovery\WindowsRE\explorer.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Recovery\WindowsRE\explorer.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\explorer.exeC:\Recovery\WindowsRE\explorer.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\4d7dcf6448637544ea7e961be1ad\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\4d7dcf6448637544ea7e961be1ad\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\4d7dcf6448637544ea7e961be1ad\spoolsv.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\4d7dcf6448637544ea7e961be1ad\spoolsv.exeC:\4d7dcf6448637544ea7e961be1ad\spoolsv.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\4d7dcf6448637544ea7e961be1ad\spoolsv.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\4d7dcf6448637544ea7e961be1ad\spoolsv.exeC:\4d7dcf6448637544ea7e961be1ad\spoolsv.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BlockSavesMonitorDllB" /sc MINUTE /mo 8 /tr "'C:\PortFontBrokerPerf\BlockSavesMonitorDll.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BlockSavesMonitorDll" /sc ONLOGON /tr "'C:\PortFontBrokerPerf\BlockSavesMonitorDll.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BlockSavesMonitorDllB" /sc MINUTE /mo 11 /tr "'C:\PortFontBrokerPerf\BlockSavesMonitorDll.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\PortFontBrokerPerf\BlockSavesMonitorDll.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\PortFontBrokerPerf\BlockSavesMonitorDll.exeC:\PortFontBrokerPerf\BlockSavesMonitorDll.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\PortFontBrokerPerf\BlockSavesMonitorDll.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\PortFontBrokerPerf\BlockSavesMonitorDll.exeC:\PortFontBrokerPerf\BlockSavesMonitorDll.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5f40a7dce8cf4fd30130b0c66820dd038
SHA1e6c85384db6fb3e9beb37979763de78977c772ef
SHA256ed8be6cca60868cc3902b49d1920cb8668a1a3c3f99a4bf55ee8c091e45c074f
SHA512e0000cfdebbd83edcc0dd0daa8f813f0848d4c0a7e7b2624d0358439921e92fbb69921fd8934b203a0fb4119445d9c04b60f4d37760a92babff8e95fc9c2dbdc
-
Filesize
104B
MD594fb8c242f1a075c7019b39500983b1a
SHA110781254369495e918bf0923ac2b567185c1337b
SHA256fca2097f81ff4ab35ec60d7dfc82c3f672f6dd181f21c414567a53b950382106
SHA5120e7863c5f038e0d68ddcca088b6dbaeca60cfb97fda916a530af774c37f0727f008a229815a0f940a156fba7c5cb3d89afb70c4d3e37d1077090b770d475893c
-
Filesize
229B
MD517687d6af43eed1b71b06021c50da290
SHA1c5b4f3de7003745ead126f88c02cac3bd4d25d5b
SHA25605ce8f3660c24152cc12d63d3f14e36d893279ef2797bcfde76b8cc91474bc00
SHA512209d79c140ea933763fde399267b6c1a128ca352cae282bdeaa38dd24ec72d023de35cc88c2e5cdbd2bf4583cfb900ae7fbce3429b2a5fce1ecee5e6b366673b
-
Filesize
1KB
MD5af6acd95d59de87c04642509c30e81c1
SHA1f9549ae93fdb0a5861a79a08f60aa81c4b32377b
SHA2567521ee2d065a78efcab55a194fbd78492f84b70595f139263875f4ea92b194d6
SHA51293ab99bcf588fde553de3240e0d2b0cbd4e4bc5ef5e99d53f45a267d7ff30103a80b5a7aa1c52d6eff1e070af0ec82d2c0b8aafb7099742aa16810edc1815c3a
-
Filesize
847B
MD566a0a4aa01208ed3d53a5e131a8d030a
SHA1ef5312ba2b46b51a4d04b574ca1789ac4ff4a6b1
SHA256f0ab05c32d6af3c2b559dbce4dec025ce3e730655a2430ade520e89a557cace8
SHA512626f0dcf0c6bcdc0fef25dc7da058003cf929fd9a39a9f447b79fb139a417532a46f8bca1ff2dbde09abfcd70f5fb4f8d059b1fe91977c377df2f5f751c84c5c
-
Filesize
1KB
MD512bbc804547b3a23fc5dd743a7785f32
SHA17e57e70a189699ddf4950ad6bc6c69abfbde9ac9
SHA2560647eaecb7afddb093f4836e4fb56844b16eee9b2011e66fbc55c835e5e4daf0
SHA5120730410f4728874a342f3d3e6a553adbda1f8b475312b881538a9fce62dbab080c63407639aa4e5f039017a43edf2864cb328fd880b7393cee53fd84885f1ac5
-
Filesize
1KB
MD515b89b4d6fcd57041a4e0a550ca6c71d
SHA1d3e2c0c885f9b64424f38842819441f1b449cf2f
SHA25631b04d85370a4b4b960559f874357ba3c09e32d8cb071f90d8801a6b70c34076
SHA512d5704008bada9e8a845fe9741a51a4c516a11b67a05beb688547e64bbc42c14dc1551eb01a050d22d82751e087daaf8a62ba2d7865dd4b8405f45a784a50eb31
-
Filesize
210B
MD55cf43330d2a652d127c1628e0d4623ac
SHA1fe11dcbc02815a5b31e6ed9d88ae199d29e65452
SHA256a3f8f3257094f3b8ce8978cc202621881b0d852b70987b1c2aeccb782004e94d
SHA512f5c3a2b03aba6a51c419c68b3ee2c7983d4bf69ab03c9c1c26eb758d8c73632314914c08f76fe34a96b94dc4305c624b60a7bfdb8ab1e40adf4b40fab5873375
-
Filesize
1KB
MD5b5189fb271be514bec128e0d0809c04e
SHA15dd625d27ed30fca234ec097ad66f6c13a7edcbe
SHA256e1984ba1e3ff8b071f7a320a6f1f18e1d5f4f337d31dc30d5bdfb021df39060f
SHA512f0fcb8f97279579beb59f58ea89527ee0d86a64c9de28300f14460bec6c32dda72f0e6466573b6654a1e992421d6fe81ae7cce50f27059f54cf9fdca6953602e
-
Filesize
377B
MD50c71fc160a8cdcdd18a8c36881079bb5
SHA1a2d1a7b71cf6e96a69e99a3afa25e898f771fdbe
SHA256730dfc632e29e230d01ed8950983fa0e8595af5aefb34ad5ab0f1f32a9d75844
SHA512f86dea353944bb5a8c7af1ed605880d76127ae597b5cedbad0370efe536fd9dfdad1ffdea2620a7713bc65d3581983b0cb6fa95b792dc963b0da2f05d6145ee6
-
Filesize
235B
MD552c96e0abbcb47d9485ec90c58a93f90
SHA1f3583235fba82bd862662e649b53ec9c09c087b2
SHA256014841d0c23d687edc95029d7792e054fa61a5fa4d6b2c80348827b363b37a06
SHA5122e5a0392c77ebf8c3728dc96ef53eac870f81c41972b64e86efea13d00dcf10382459818655f189a06239f3fcc34e6488ebf8d724986a1d0f4eaa8da53ce712f
-
Filesize
407B
MD5753b5193f238560a54136145d1b3198a
SHA14f7ab71a8a3b56e34c356c871c6812f8e7bf8d93
SHA256c274607d66f3b86097705db1452fd79bf28501416a2601deac761a7da02aa7f0
SHA5120d0699486b180963981dc590ac57104f3d409e3a919538fdf5b87522ae4cc3b9d5695ee604fccd832ac592cb4b1bb01b89abe3da66a8d2539da1413afe98baa7
-
Filesize
265B
MD598017e842793004b45fc8d0aeb4d8d70
SHA1c50e8ba79f4e5bae5d734ccb6d28a1295b47200f
SHA25641447179f117b6e104d543efd79b27b04c8e63678f0adc09814c6cd532c02f44
SHA512bf71f08e620f418eac3c86f62c541231fa1fbdee84870c48730b5500548fbbccf780f5ea4ca73db12edfba026e86849fe5e476ec2492574dc0083db6dcee8fdd
-
Filesize
1KB
MD547c2c093d947e0ac02da7b691bc6fce5
SHA1cea2d7ae6980b07a96341527b162067d0382f07a
SHA256ed7a05f9a0b94b9625377eecd69e9741bb3c59a03f1acc19c488349da4fb391e
SHA512eaaa26d251e9d622168daf15ee1c881e5b9a7817251411d0c0e2badad42739e4cfdd62befed0298bf8f8c65850d343c4485b89853d7124cb086949a2d04f02e5
-
Filesize
48KB
-
Filesize
96KB
-
Filesize
320KB
-
Filesize
112KB
-
Filesize
56KB
-
Filesize
1.9MB
-
Filesize
8KB