Extracted

Extracted

• • Target

    Fluxus.exe

  • Size

    1.1MB

  • MD5

    f5ab76e991b3993cb87592fd73f7f085

  • SHA1

    3674f19b3edb1e70ef70eeed43ec0abe51762a4e

  • SHA256

    9bd3396602ac3cdb6508b15170466a45aef3c1dec2ae26384928f0c968de93d3

  • SHA512

    36893eaf345645aa9dbea58d5e14a569b5f45d105d5e12412c0c42dddf585ffdafa28fc8ae3d44a6e3270d7de88377436a7ea6aff91e51c2daa43a0c4b3e83ec

  • SSDEEP

    24576:U2G/nvxW3Ww0tKw0yRCKkqDtDRNkm7LW98tGTCs3UdM:UbA30gAHNqIhG

  Score

  10^/10

  dcratumbralxworminfostealerpersistenceratspywarestealertrojan

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat

  • Detect Umbral payload

  • Detect Xworm Payload

  • Modifies WinLogon for persistence

    persistence

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • DCRat payload

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat

  • Downloads MZ/PE file

  • Drops file in Drivers directory

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2