Extracted

Extracted

• • Target

    Modrinth_Installer.exe

  • Size

    5.6MB

  • MD5

    5c9cf1fe418466925327bc4afa746939

  • SHA1

    abe580c9b713685cd56866a8a19c31ea80914aea

  • SHA256

    54fb1f732205a069f0a0895ebb3b3bffcc34b7c8675e624ca3a8320e620cc916

  • SHA512

    a4518351ad34c045d2fec6ff231a1f68d06cbfdf4b128fe3f88508f8b4f96225bd01d5f457358c05f6adccdd7aab41d8119ee4a7d3ad0e9c13b429bbb01a8cb4

  • SSDEEP

    98304:ZvbNT+6HE4ThcGalSS9d+udj3mYcCqQcgT3XV8tEbETvsDHaLqV710ZZ9rPzrPW8://HMlS2JxmYcmcg7XGqb6Msq51GPf

  Score

  10^/10

  dcratxwormdiscoveryexecutioninfostealerpersistencerattrojan

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat

  • Detect Xworm Payload

  • Modifies WinLogon for persistence

    persistence

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • DCRat payload

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Downloads MZ/PE file

  • Drops startup file

  • Executes dropped EXE

  • Adds Run key to start application

    persistence

  • Blocklisted process makes network request

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  behavioral1