General
-
Target
3b3499bf522f78f62b3f719f7078cbaa.bin
-
Size
2.3MB
-
Sample
240630-b5nxlavgrl
-
MD5
837ab38e52f2dcdc1bb500d497ba2001
-
SHA1
4010617794601d206f0ce4e0fc53c99540ed8753
-
SHA256
fc97fa4283d52a2bfcdfca418c45e39bc6fcd296d7494af69af64114802bb531
-
SHA512
b9e5051028fb57a399e486e5e7eacfe8de3a208c2f7889d00eaa842cdb0b79599df3b6402690cef8ab5761c9a6f8cf8303649875863240782eda3588cd61c01b
-
SSDEEP
49152:7CDNpbnRDsPLLQ3BqieE7ksurAkIIXf0cBQVEbBf7q2tBzV:WRFnuHQRq/VPkPUf0uTbhjtBh
Behavioral task
behavioral1
Sample
00db2c26608e0e750b9262587d68d19dfd37e45b185a22b9438fb309ceb15cd9.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
00db2c26608e0e750b9262587d68d19dfd37e45b185a22b9438fb309ceb15cd9.exe
Resource
win10v2004-20240611-en
Malware Config
Targets
-
-
Target
00db2c26608e0e750b9262587d68d19dfd37e45b185a22b9438fb309ceb15cd9.exe
-
Size
2.7MB
-
MD5
3b3499bf522f78f62b3f719f7078cbaa
-
SHA1
faccf8c8c028b3fef6678632766c19c271b99ed4
-
SHA256
00db2c26608e0e750b9262587d68d19dfd37e45b185a22b9438fb309ceb15cd9
-
SHA512
54951168609e925ecd20982b598de527079bee7f44c22b664ff45bd8f384d90f0733c36394ab020bcd25b0bbd75f760e4a6b5c916f04ac5084535c63063d4971
-
SSDEEP
49152:msWc2Z+L7pWCf65hydIoJOniHoLck1isle2FstJt9NTEKp58MAw:nWl+vpWS6r49GcTcFsjNn
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1