Extracted

• • Target

    ReallyBadOneLineOfCode.exe

  • Size

    8KB

  • MD5

    a4832f40c2364e3eb555fc2fc3b9a511

  • SHA1

    0344b64f658399be1cf771b74559fe6f34b90a58

  • SHA256

    edbbbed7a606c3631d750b64229ca669d182088324d2cab3f1a0d3ae924bd433

  • SHA512

    ef36b31bbb4f13286d3a390ca73678883807af2d00b437f212885348be51ea3eb173eb16beb958c44d6ca7852bcd686be95cbacea5d0b0be9e00db47f2d25f2e

  • SSDEEP

    96:UBe3qj40XieH7qdudJVkauNJI3WNtW1jYcFKNVcz1W4oKYMsLYUa:RaniebqgdJVkBI8stYcFwVc03KY

  Score

  10^/10

  dcratorcusinfostealerpyinstallerratspywarestealerupxexecution

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus

  • Orcus main payload

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat

  • Orcurs Rat Executable

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Downloads MZ/PE file

  • Drops file in Drivers directory

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2