Extracted

Extracted

Extracted

• • Target

    048eede7e4b12dfe61d77fa97f936700_NeikiAnalytics

  • Size

    89KB

  • MD5

    048eede7e4b12dfe61d77fa97f936700

  • SHA1

    7095d2cc5bc4753b129b6cbb5ea777f9db539bff

  • SHA256

    04f5de46cb40a4157f8d41e92a29727f27252065164da929dda8d07ca1097877

  • SHA512

    b6b8e3028d892e08d191694f6bf8122998e411554812be1fc89e5b57f240c295017b36d63d257e0f82a701208e130cd5ad9f412265326328243493ddb64dd221

  • SSDEEP

    1536:3r7ftfkS5g9YOms+gZcQipICdXkNDqLLZX9lItVGL++eIOlnToIfZwVZxOy:3nFfHgTWmCRkGbKGLeNTBfZG/

  Score

  10^/10

  executiondcratumbralinfostealerpyinstallerratspywarestealer

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat

  • Detect Umbral payload

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral

  • DCRat payload

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Drops file in Drivers directory

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2