Extracted

• • Target

    Nurik.exe.exe

  • Size

    1.4MB

  • MD5

    9493802d03c38018bec6f0c378ecccb2

  • SHA1

    3634874fe3f261f85549b4fa18de218c6e3a1023

  • SHA256

    7503a5dc33aaafdaeeb0b45e3688ce8dc3c640d9d7323302a3055bd18b83f5a9

  • SHA512

    190161d95cfa96022425d4bf0c9160a1758b07ffcb6954561203fded8f7046919aaf7253b682f99a52b8618649818814612b5a5d02de68ef4007d8ec2bb52140

  • SSDEEP

    24576:Pz2ABe2G/nvxW3WckpJWjXbNQsVZy8v8BQSsZWcJ4LO:Pz9MbA3wvW+sVZy8fZW

  Score

  10^/10

  44caliberdcratinfostealerratspywarestealer

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2