Extracted

• • Target

    1fb476576bd4aeb366aa82b6240ff2e8.exe

  • Size

    4.9MB

  • MD5

    1fb476576bd4aeb366aa82b6240ff2e8

  • SHA1

    5ae8fba07122131f385bda0274967713d52057db

  • SHA256

    9f487d16cd0e0548b6bde75853d0cfcd4eb9362f61d101ce55740781e3e04b2d

  • SHA512

    360fcce899a22c55235078e3a72fe765fdedfeb9fc2effb3851dd629ea372440ca471dbe748a9e23ad41a3015c372f27a28c239c83abb186024b8c19026ebaa6

  • SSDEEP

    49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

  Score

  10^/10

  dcratevasioninfostealerratspywarestealertrojancolibribuild1loader

  • Colibri Loader

    A loader sold as MaaS first seen in August 2021.

    loadercolibri

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass

    evasiontrojan

  • DCRat payload

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat

  • Executes dropped EXE

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Checks whether UAC is enabled

    evasiontrojan

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2