Extracted

Extracted

Extracted

• • Target

    a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.bin

  • Size

    207KB

  • MD5

    04abca366cc648a461c1eee9a883bd12

  • SHA1

    889beaf9e13cfdc0d103c232c9a68c3febdbafaf

  • SHA256

    a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d

  • SHA512

    59ceed9b7cd95578200f7ffd749ff60e468784d29aee4f51510cda48089b068d999bfea7cbc2232d44c4746329bf5ecea9ae4225476e314b70f8f63388408b3e

  Score

  10^/10

  privateloaderevasionloaderspywarestealersuricatatrojandcratnymaimsocelarsxmrigcollectiondiscoveryexploitinfostealermainminerpersistenceratvmprotect

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Modifies security service

    evasion

  • NyMaim

    NyMaim is a malware with various capabilities written in C++ and first seen in 2013.

    trojannymaim

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars

  • Socelars Payload

  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata

  • suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3

    suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3

    suricata

  • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    suricata

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • XMRig Miner Payload

    miner

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Possible privilege escalation attempt

    exploit

  • Stops running service(s)

    evasion

  • VMProtect packed file

    Detects executables packed with VMProtect commercial packer.

    vmprotect

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2