Extracted

Extracted

• • Target

    ToriLauncher.exe

  • Size

    15KB

  • MD5

    8a25dfc69da1d9d86fd6b6aa54ce7fb9

  • SHA1

    e1448945d8218944eee8828a387faeeafcddcdd3

  • SHA256

    8a47dfd07adaaefcdb36c9ca7453c240dfe10c3dd4fa0e87f5c9769b7c48a5f1

  • SHA512

    63dbe47828d49f88a15c39499b73a699622a8a8ceeebe71c81aad95628d09c53353c6c4ff7431b688e569facd0582c40a6609b15aee150ff1e7b4082c97fae8a

  • SSDEEP

    384:n8rbishHxlUvJCB2NdCBhNokwVcqDkiCBYkMNt//ZNt/+4Nt/UVRD59KUC9u:nib5hxlUvJCB2NdCBhNokwVcqDkiCBYh

  Score

  10^/10

  auroradcratlaplasclipperevasioninfostealerratstealer

  • Aurora

    Aurora is a crypto wallet stealer written in Golang.

    stealeraurora

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas

  • Modifies security service

    evasion

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • DCRat payload

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Drops file in Drivers directory

  • Stops running service(s)

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Legitimate hosting services abused for malware hosting/C2

  behavioral1behavioral2