General
-
Target
854d267aea33e8dc80021ac043b003ab7c6f99061e56e36572cba3548e6882c9.exe
-
Size
1.8MB
-
Sample
240624-blzvrasekg
-
MD5
289f27e7a02f8e76ebf39d2c0c3f09e4
-
SHA1
fb404a7a85d5fb617436f73832e4716556756d6a
-
SHA256
854d267aea33e8dc80021ac043b003ab7c6f99061e56e36572cba3548e6882c9
-
SHA512
38798cc71da6dfd8022dff2be635db8b938ba8d8dc5db8196802af2d9deb26dda145e0e581a6b8eb7022a1e0c33ff34c666cc4817f9f2ac50d1f362f434a75fe
-
SSDEEP
24576:KuDXTIGaPhEYzUzA0Dz46fMR/6Y/M3pPux8KVzVvu9JDcEL0NLpgjdyWhPOePTnK:9Djlabwz9PHMf/M3BuxbzuDQyBPXam0H
Static task
static1
Behavioral task
behavioral1
Sample
854d267aea33e8dc80021ac043b003ab7c6f99061e56e36572cba3548e6882c9.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
854d267aea33e8dc80021ac043b003ab7c6f99061e56e36572cba3548e6882c9.exe
Resource
win10v2004-20240611-en
Malware Config
Extracted
lumma
https://backcreammykiel.shop/api
https://publicitycharetew.shop/api
https://computerexcudesp.shop/api
https://leafcalfconflcitw.shop/api
https://injurypiggyoewirog.shop/api
https://bargainnygroandjwk.shop/api
https://disappointcredisotw.shop/api
https://doughtdrillyksow.shop/api
https://facilitycoursedw.shop/api
Targets
-
-
Target
854d267aea33e8dc80021ac043b003ab7c6f99061e56e36572cba3548e6882c9.exe
-
Size
1.8MB
-
MD5
289f27e7a02f8e76ebf39d2c0c3f09e4
-
SHA1
fb404a7a85d5fb617436f73832e4716556756d6a
-
SHA256
854d267aea33e8dc80021ac043b003ab7c6f99061e56e36572cba3548e6882c9
-
SHA512
38798cc71da6dfd8022dff2be635db8b938ba8d8dc5db8196802af2d9deb26dda145e0e581a6b8eb7022a1e0c33ff34c666cc4817f9f2ac50d1f362f434a75fe
-
SSDEEP
24576:KuDXTIGaPhEYzUzA0Dz46fMR/6Y/M3pPux8KVzVvu9JDcEL0NLpgjdyWhPOePTnK:9Djlabwz9PHMf/M3BuxbzuDQyBPXam0H
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-