Extracted

Extracted

• • Target

    117c359132faf42213eaac64727f05db.exe

  • Size

    4.9MB

  • MD5

    117c359132faf42213eaac64727f05db

  • SHA1

    e9833abb1fdff71b1e521b65300e8a4b3931d662

  • SHA256

    350154b0e3a6b19a71850f3aa2c6ae51e416332e904b4bdd219617a9e0d167e2

  • SHA512

    81e22905790200420632c41fc1b666d5d4c50ef58863ccf477f75c711f19c02549b2011cc2d6a7f51dacdd1c77da68b44250bcb59f39e9b8607ec6823c45ca19

  • SSDEEP

    49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

  Score

  10^/10

  dcratevasioninfostealerrattrojancolibriredlinebuild1loaderspywarestealer

  • Colibri Loader

    A loader sold as MaaS first seen in August 2021.

    loadercolibri

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • UAC bypass

    evasiontrojan

  • DCRat payload

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Uses the VBS compiler for execution

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Checks whether UAC is enabled

    evasiontrojan

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2