Extracted

Extracted

• • Target

    d07f214246c81acfda423ed9d77f6ff5fb6e901897bfcab90b4a5acb66fe0732N

  • Size

    9.7MB

  • MD5

    ab44ddf2ab8b96d5800cdf8750a7d3b0

  • SHA1

    610ffbe93f0f29c5e57a8ddd760f8c6555fbfc90

  • SHA256

    d07f214246c81acfda423ed9d77f6ff5fb6e901897bfcab90b4a5acb66fe0732

  • SHA512

    16d0876d033c2c31c426005d6d82ab49427e93533f436275de72ba9339d4e392317e9c546abad2e6dbb7b6bddf7955134eba89cd7e5f4d10725228adfaf91f58

  • SSDEEP

    196608:llCUIBjwlCUIBjGlCUIBj0lCUIBjHlCUIBj5lCUIBj:rGBj4GBjOGBjEGBjFGBjHGBj

  Score

  10^/10

  darkcloudxredbackdoordiscoverypersistencestealer

  • DarkCloud

    An information stealer written in Visual Basic.

    stealerdarkcloud

  • Darkcloud family

    darkcloud

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred

  • Xred family

    xred

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2