Extracted

• • Target

    Anti.exe

  • Size

    1.3MB

  • MD5

    c3f27c3bdf014d265645403a994872ed

  • SHA1

    381bd6a5b8c03045bd1d9fe88b7ef3475883c92d

  • SHA256

    90f4439d21fcc5c6ce3ef92098aa4d7fbb782d93905a56bddf623edbe5d91d8c

  • SHA512

    562f7683c05ebff7355e8ea31bfa5c880e0745a7c50013394e050109cd3973d6ea7997f39751c1841a2e0412ad8541f3ac25cc7ae7e2926f3ba173847fc530f0

  • SSDEEP

    24576:NIY/drYIr/3S51xkFyEVuxOJsBjK3Uv+eRJsLpTXar:NIARIbwyE0cJIjK3Uv+8sLFXy

  Score

  10^/10

  dcratxwormdiscoveryexecutioninfostealerrattrojan

  • Contains code to disable Windows Defender

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat

  • Detect Xworm Payload

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • DCRat payload

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1