Extracted

• • Target

    f7c3d2971549106f2c2aa449210164d7c5e80d3beeb867e5092b7087d3a160a8

  • Size

    1.7MB

  • MD5

    0d0cbd8b11e2bbe939037e4182a7b951

  • SHA1

    c7293dbb015713168ad96ad809328fb6190f005d

  • SHA256

    f7c3d2971549106f2c2aa449210164d7c5e80d3beeb867e5092b7087d3a160a8

  • SHA512

    340accc4c064d06230d3b8f1aaa1eec3c96f1c06892f75e79a7e81d9757c709ae301ba5e1b07f99b79bee4bec1f1ea7b27037b3f3fa9dba3dd86d24c3736f8ea

  • SSDEEP

    24576:P2G/nvxW3WV0wot5dYjknv/MynA1A1ozB0T83/YtH5Kzjd+ipdxQ49GI:PbA3fXaovYOSOY3/+Lsr

  Score

  10^/10

  dcratwarzoneratevasioninfostealerpersistenceratspywarestealerupxcollection

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat

  • DCRat payload

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat

  • Warzone RAT payload

    rat

  • Downloads MZ/PE file

  • Modifies Windows Firewall

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Modifies WinLogon

    persistence
  behavioral1behavioral2