Extracted

Extracted

Extracted

• • Target

    4a147d7d897eb580b372ade588dcf1c1.exe

  • Size

    1.1MB

  • MD5

    4a147d7d897eb580b372ade588dcf1c1

  • SHA1

    d4edac822250f1537c5d06167dc844ee9aaa7f29

  • SHA256

    5e20f93b13e745880d9d70586d15868da85938f422ccea8fb4829ca4afac2c8e

  • SHA512

    0da14421bd51be5ace273ddaeb5f54f04af686b3d7fb6d4d992636b25b0c06ec337be9d13bdac6e2b61c6f62b2493fd5f8c126dfdbdc44659cf086dfa3dfa671

  • SSDEEP

    24576:Cy/9R/JROLKtriJRkItLgyibU1r8EK4B4GByPZpAYQG6DWF8ng:plR/LOLKxiJWegypr8EKvGchpw5yF

  Score

  10^/10

  evasionpersistencetrojandcrathealerredlinesmokeloaderlutyrmagiabackdoordiscoverydropperinfostealerratspywarestealer

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat

  • Detects Healer an antivirus disabler dropper

  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Windows security modification

    evasiontrojan

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Suspicious use of SetThreadContext

  behavioral1behavioral2