Extracted

• • Target

    5779722125.exe

  • Size

    5.7MB

  • MD5

    44e4646b76a889c2115bdacc6e63ba2a

  • SHA1

    efe7c1dae715922ff19121ff4f0e97ca904ee536

  • SHA256

    91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

  • SHA512

    b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

  • SSDEEP

    1536:gpyA0Sdf7CwS+1iSpyOVvBkHA/BGGG/DoFVuZB3ZnMALr/pQZw3MIeqVz1iU80hy:gQcYyOx2TsuVxt11oPvZBhYU2

  Score

  10^/10

  dcratevasioninfostealerrattrojancolibribuild1loader

  • Colibri Loader

    A loader sold as MaaS first seen in August 2021.

    loadercolibri

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass

    evasiontrojan

  • DCRat payload

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Checks whether UAC is enabled

    evasiontrojan

  • Suspicious use of SetThreadContext

  behavioral1behavioral2