General
-
Target
2025-06-02_0ef481c3d110d931c6dcd016e065c9e5_black-basta_chapak_cova_cryptbot_darkgate_dcrat_elex_hawkeye_luca-stealer
-
Size
2.7MB
-
Sample
250602-lhbzmahq6s
-
MD5
0ef481c3d110d931c6dcd016e065c9e5
-
SHA1
974799a1337909ecea90b580e04d837a68c88a08
-
SHA256
4f22748956c9ec725df67a7729730ae3d56f88dc37db966abfc3a7557bbdb69a
-
SHA512
e95256b9014f422dcc3ffda1b335152ac91bbb31155aead87b2056b6def4f185d05ccae88436731dd34c7b908f9484126c41f506b5893ffa9d5b0a2fcb0acc8a
-
SSDEEP
49152:IbA30jpaKbkdZxtjneeQF0EzvRulLIwOpdea21xKMMWETLePnWxAsi:IbLpatbzeJFpvRqYSa21xyGwAsi
Behavioral task
behavioral1
Sample
2025-06-02_0ef481c3d110d931c6dcd016e065c9e5_black-basta_chapak_cova_cryptbot_darkgate_dcrat_elex_hawkeye_luca-stealer.exe
Resource
win10v2004-20250502-en
Malware Config
Extracted
gurcu
https://api.telegram.org/bot7334804430:AAENpRr0uhF8YrTPMjVYxba7iorvVu_gBKo/sendPhoto?chat_id=7334804430&caption=%E2%9D%95%20User%20connected%20%E2%9D%95%0A%E2%80%A2%20ID%3A%20794d7f46e3d95f299406a657b7bbf24c75ca3da1%0A%E2%80%A2%20Comment%3A%20%0A%0A%E2%80%A2%20User%20Name%3A%20Admin%0A%E2%80%A2%20PC%20Name%3A%20LZGONBTJ%0A%E2%80%A2%20OS%20Info%3A%20Windows%2010%20Pro%0A%0A%E2%80%A2%20IP%3A%20194.110.13.85%0A%E2%80%A2%20GEO%3A%20GB%20%2F%20London%0A%0A%E2%80%A2%20Working%20Directory%3A%20C%3A%5CWindows%5CShellExperiences%5Cupfc.ex
https://api.telegram.org/bot7334804430:AAENpRr0uhF8YrTPMjVYxba7iorvVu_gBKo/sendMessage?chat_id=7334804430
Targets
-
-
Target
2025-06-02_0ef481c3d110d931c6dcd016e065c9e5_black-basta_chapak_cova_cryptbot_darkgate_dcrat_elex_hawkeye_luca-stealer
-
Size
2.7MB
-
MD5
0ef481c3d110d931c6dcd016e065c9e5
-
SHA1
974799a1337909ecea90b580e04d837a68c88a08
-
SHA256
4f22748956c9ec725df67a7729730ae3d56f88dc37db966abfc3a7557bbdb69a
-
SHA512
e95256b9014f422dcc3ffda1b335152ac91bbb31155aead87b2056b6def4f185d05ccae88436731dd34c7b908f9484126c41f506b5893ffa9d5b0a2fcb0acc8a
-
SSDEEP
49152:IbA30jpaKbkdZxtjneeQF0EzvRulLIwOpdea21xKMMWETLePnWxAsi:IbLpatbzeJFpvRqYSa21xyGwAsi
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Gurcu family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass
-
Disables Task Manager via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Checks whether UAC is enabled
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v16
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1