Extracted

• • Target

    45ff4bbe10d3e2a0561d19219a4738e2.exe

  • Size

    1.2MB

  • MD5

    45ff4bbe10d3e2a0561d19219a4738e2

  • SHA1

    2bbb1c2ecf9dd62c9f22253030ae7a7b168d09a4

  • SHA256

    f9adac1ef0311f015cbb89d89b24b47dace93d4fafd417af475b09def8034c3f

  • SHA512

    ab2ccf3dce770ac2b9ac7dcb3acc402ecacc951172a4291f8e0fb39cff5caa5e93058c97ecd78e154e415c7ff9b9395549cff5c546f22beaf2627964f05c482f

  • SSDEEP

    24576:RjRu6SPKv/PvX2av85I1eBXJN46S2tYmLvnPlNbsN1owQNrLhEl:lvuKfvms85I1oOMYmLP9aN1zQNa

  Score

  10^/10

  dcratxwormdiscoveryinfostealerrattrojan

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat

  • Detect Xworm Payload

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • DCRat payload

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2