Extracted

• • Target

    2bdf60ce1391ccc1a829a41c8b531dd5.exe

  • Size

    46.0MB

  • MD5

    2bdf60ce1391ccc1a829a41c8b531dd5

  • SHA1

    8fecb37b06dd016f820cbc55c1446aa34666bf12

  • SHA256

    06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1

  • SHA512

    0091fc481589bb93b2c4352b600220691cd7f0e0ae7979d6cdf4c529db97613d40cf693b01e3b119bc69a3414ba3f700561ee2364474f48a80f2c9763f357359

  • SSDEEP

    24576:f5r3oaR/k4XDG/BcoNWmt2G/nvxW3Ww0tXegr2pdxgLHw8dQefBkrzCL7:dmtbA30XeY6o/QAU+L

  Score

  10^/10

  dcratumbralexecutioninfostealerratspywarestealer

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat

  • Detect Umbral payload

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral

  • DCRat payload

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Drops file in Drivers directory

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2