Extracted

• • Target

    fixnoblackmail.exe

  • Size

    1.2MB

  • MD5

    990b093e34cd09a232f0e2228f3b126b

  • SHA1

    a37a9b18ceb0f8bc6916cda25c851999d9859251

  • SHA256

    3a25f273c5c69615a17a5e9764846b1f44d1ade939602ec4da7e81229f9cc955

  • SHA512

    ebc2cd9e994fcce1a80259bbfc001d5700eaf035f6ee7ec5dd8d433fa4fa1899f7ffb3e52e0ba94de24beeae839574a6968387f72905a88d618e0222555f358a

  • SSDEEP

    24576:ijn9b91W4uOh3hmm6CpJQeBolPwRq9gFgBOv5eQuBFidboDBg:a9jW4uuRm/G3BoOgBKruBMlo

  Score

  10^/10

  dcratxwormexecutioninfostealerpersistencerattrojan

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat

  • Detect Xworm Payload

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • DCRat payload

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  behavioral1behavioral2